โ So you’ve probably opened a zip file this week. And what if I told you that the zip file, specifically 7 zip, is being used to bypass Windows Protections because of an old flaw that was being exploited and was recently found? Well, Russian criminals are using it and you could be next. Find out why, find out how.
And as well, malicious Go packages are being also used, and they’re harder to detect because they’re taking advantage of the caching system. Let’s dive into the details on this episode. Today we are facing an unprecedented array of data breaches, hacking attempts, and surges in digital crime. Why is there such a widespread amount, and how little is noticed in our everyday lives?
Malware, dark sites, brute forcing, zero day script kiddies, and nation state hackers are all on the rise. Learn more about the threats we face and gain a bit more knowledge than yesterday. Hey guys, welcome back to another episode of Exploit Brokers. I’m your host, Cipherceval. If you could please do me a favor and hit that like, subscribe, and bell notification icon if you’re on YouTube.
And if you’re on a platform like Spotify or Apple Podcast, if you could do me a favor and give us a five star if you think we deserve it. Doing so definitely helps the channel, helps me, and I’d greatly appreciate it. With that, let’s jump into it. So we have two articles that I want to discuss with you today.
They’re both by the Hacker News. Let’s go ahead and jump to the first one. Russian cybercrime group exploit 7 zip flaw to bypass Windows MOTW protections. So before I jump into this, I like to give a little bit of context. And I think there’s some context that should be giving here specifically seven zip in case you haven’t used it.
Say maybe you’re just using the build in windows, uh, zip and unzip functionality, or maybe you’re on Linux and you’re using the command line seven zip is a different kind of zip. It’s a seven zip versus just a straight zip or like a raw file. Well, it’s also a different executable. It’s a different piece of software.
Most people don’t necessarily have it installed, but just like a lot of other softwares, once you install it, most people don’t update it. So if you have seven zip, this is your sign to go and update it. Now, the M O T W mark of the web protections is a windows mechanism. That is in place to essentially mark whenever a file has been downloaded from the Internet.
And the reason this is important, right? If you download something, you don’t want your system or your computer to automatically try to open or run it right away. Because that’s where you get some malicious stuff happening. Well, there is some interesting things we’re going to talk about, specifically the CVE and how that’s being used.
And it’s allowing the criminals a way to bypass that MOTW protection, which some of you may know as that little pop up that’s like, Hey, you downloaded this file. We should try to do more with it before you run it. So to start off. A recently patched security vulnerability in the 7 Zip Archiver Tool was exploited in the wild to deliver the Smoke Loader Malware.
If you guys have been around the channel before, the Smoke Loader Malware is a malware that we’ve seen specifically with the Russian, uh, hacker groups or the Advanced Persistent Threat groups from Russia. And it’s used pretty heavily right now against the Ukrainian conflict. Now, the flaw, the CVE 2025 0411, has a score of 7 0, which is pretty high, allows remote attackers to circumvent Mark of the Web MOTW protections and execute arbitrary code in the context of the current user.
It was addressed by seven zip in November, 2024 with version 24. 09. So if your version is less than 24. 09, I would strongly encourage and urge you to go download the newest and latest to try to get this patched. Now, arbitrary code execution is kind of like the, let’s call it the golden goose of any kind of hacking event.
If you can execute remote code on a remote server, in this case, your computer. Then you are able to do more things. You’re able to download things. You’re able to run different things, depending on the privilege that’s going on, you can even inject things into registry steel stuff. There’s so much havoc that you can wreak by having these kinds of privileges to execute something.
What’s essentially being done here is that the vulnerability is being used against the user. The vulnerability was actively exploited phishing campaigns. Using homoglyph attacks to spoof document extensions and trick users and the Windows operating system into executing malicious files. Trend Microsecurity Researcher, Peter Gurness said.
So whenever we’re talking about spear phishing, that is a much more specialized Approach to phishing or phishing is generally you hit everyone everywhere all of the time a spear phishing is a bit more Concentrated you’re targeting a specific company. You’re targeting a specific group of individuals It is much less a general campaign than it is something more Directed so it is suspected that CVE was likely weaponized to target governmental and non governmental organizations in Ukraine as part of a cyber espionage campaign set against the backdrop of the ongoing Russo Ukrainian conflict.
So it’s no secret to the world that Russia and Ukraine are in this kind of conflict. But this is something we’re seeing here, right? Where Ukraine has certain kind of guerrilla tactics. Uh, we are seeing Russia pull out different kinds of stops. Now, MOTW is a security feature implemented. I will kind of save you that because I just explained it, but suffice it to say MOTW is something that has been very beneficial for windows.
CVE 2025 0411 bypasses MOTW or mark of the web. By double archiving contents using seven zip, i. e. creating an archive and then an archive of the archive to conceal the malicious payloads. So whenever you think about zipping a file or seven zipping a file, right? You have either one file or a folder with a bunch of files.
And when you zip it, it gets compressed into a dot zip or dot seven zip. And there’s even like dot RAR, which is a win RAR. And those, and there’s more than that, right? There’s Linux, like a gun zip and a few of those. Um, but those are compressed files that are not the normal file that you would have had before.
Now this compressed file is generally used because it’ll save storage, save transmission costs, network costs, et cetera. The root cause of CVE 2025 0411 is that prior to version 24. 09, 7 Zip did not properly propagate MOTW protections to the contents of double encapsulated archives, Guernitz explained.
This allowed threat actors to craft archives containing malicious scripts or executables. That will not receive MOTW protections, leaving Windows users vulnerable to attacks. So whenever you download a file, the MOTW marks it as Mark of the Web, download it from the web. The double zipping would then make it so that the MOTW wouldn’t be propagated to the secondary zip, right?
So you get file A, file A becomes A. zip, and then you zip that again. So it’s A two zip and a two zip holds a zip, which then holds the file. Well, the mark of the web should be getting propagated to all children of the seven zip or of any zip archive. And because it’s not, you leave room or seven zip left room for a attacker to be able to them themselves or their payload to let itself not be marked as mark of the web, even though the parent itself was marked.
So if you want to think about it in terms of like infection and stuff. If the parent is infected, then the child should be infected. In this case, the child or the child file is not infected. And this is problematic because it’s, it still hasn’t been scanned. It hasn’t been checked. Hasn’t been anything.
There’s just a vulnerability that allowed it to avoid. Having that mark passed down. Attacks leveraging the flaw as a zero day were first detected in the wild on September 25th, 2024, with the infection sequences leading to Smoke Loader, a loader malware that has been repeatedly used to target Ukraine.
So smoke loader, if you guys have been around for a little bit, or if you haven’t, please go check out my other episodes, smoke loader is a loader. I know by the name, but it’s a loader. That’s been used quite often. Recently, a loader is any kind of malicious software or any software that will install and bring in other stuff.
So think like loading in a different kind of module, something like a cookie stealer or like the main malware itself, a loader is just kind of a stepping stone that loads in something else. And the reason loaders are generally used are to avoid detection, to avoid it being scanned, and it’s a lighter weight.
If you think about different kind of rats or different kind of Trojans, there’s multiple configurations they can have. And not only that, but the more packages and the more modules you put on, the bigger the footprint. The bigger the footprint, the bigger and most likely it’s going to be to get suspected.
If you have a very small payload, a very small script, Then it’s easier to bypass different things. And if you’re talking about a loader specifically, right? The code in it is not specifically malicious. It’s meant to download another file, which we see with. Installers, which we see with web browsers, which we see with a lot of different things.
I mean, every, every app probably has a way to download the configuration file or to download updates or etc. So if you’re talking about something that downloads from another server, that in itself is not malicious. Where it does become malicious is that the payload it’s downloading. Well, the interesting part is that when you are downloading stuff, Your web browser or your antivirus may be scanning the initial file that gets run, but depending on how the loader is built, it might be able to bypass some of that initial scanning.
The starting point is a phishing email that contains a specially crafted archive that in turn employs a homoglyph attack to pass off the inner zip archive as a Microsoft Word document file, effectively triggering the vulnerability. One major flaw that Windows has Is that it relies on the file extension to understand what kind of file it is.
Linux, you have a command, a command line command known as just file and file allows it to look at the first initial parts of the file, the bytes and figure out what kind of file it is. Is it a text file? Is it a binary file? Is it an ELF executable? And Windows doesn’t do that. Windows tends to trust the extension.
So if I was to get a PNG and rename it to doc, it’ll complain, but it’ll let you do it. So then when you try to open it, well, it looks corrupted, but in reality, it’s a PNG file. If you were to take that same whatever picture doc, And put it into Linux and run a file on it, it’ll be able to read the first bytes and determine that no, this is actually a PNG file format, not a document file.
And that is one of the major flaws that I find with Windows, is that it tends to trust the extension. When you’re able to make files look like different kind of files, you get this weird capability where you can then make it look like something else. The Phishing email specifically is from another entity that is trusted, right?
So the phishing messages per trend micro were sent from email addresses associated with Ukrainian governing bodies and businesses accounts to both municipal organizations and businesses suggesting prior compromise. So in order for phishing campaigns to kind of succeed, you either need users who are very gullible.
Or the ability to give more credibility to the attacking email or the email from the attacker. In this case, because they’re coming from a compromise source, there’s not a very easy way to determine, Hey, this email was comp. If you’re not actively talking to the person in question, if this is a random email from a governing body that you trust.
So, you know, Think whatever governing body sends you an email. It’s gonna be somewhat easy to trust now granted you can spoof But let’s forget about spoofing for a minute But if this government entity that you have some faith in sends you an email you’re gonna open it and see what it is right If your health and human services in the US, for example, send you an email saying, Hey, you’re your local medical records were exposed.
You need to go check this out. Okay, well, you’re more likely to trust that than some random Gmail account. The use of the compromised email accounts lend an air of authenticity. To the email sent to targets, manipulating potential victims into trusting the content and their senders. Again, you have the human aspect of it because they came from compromised accounts, it’s easier to just trust it.
Now getting back into kind of the technical part, the approach leads to the execution of an internet shortcut dot URL file present within the zip archive, which points to an attacker controlled server hosting another zip file. The newly downloaded zip contains the smoke loader executable that’s disguised as a PDF document.
Here’s where there isn’t a lot of information on the hacker news website. I try to do some digging and I got some stuff. So to the best of my knowledge, this is what’s happening. Whenever you download that file, uh, or the zip that’s been zipped again, then you unzip it and the inner one contains a shortcut file.
The inner one, the inner executable or internet shortcut file was not given the mark of the web. So you have already something that’s running that no longer contains in the mark of the web, which is where the zero day is coming in. Then that reaches out, downloads another file, which looks like a PDF document, but it’s a smoke loader executable that’s been also archived.
Well, that one gets unarchived and because the thing that downloaded didn’t have mark of the web, Then this other thing doesn’t have mark of the web. And then you’re able to kind of just escalate it from there. The smoke loader is then able to get run at some point after you decompressed it. And now you already have your entry into the system and you’ve downloaded whatever modules or other malicious payloads you need.
Now, at least 9 Ukrainian government entities and other organizations have been assessed to be impacted by the campaign, including the Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply Company, and City Council. In light of the exploitation, it’s recommended to update. So, here’s where I kind of will stop reading the article and there’s just some key points that I want to talk about.
We are seeing zip archive attacks. We are seeing different kinds of smuggling and different kind of bypass methods happening. This one’s interesting because the mark of the web is something that’s supposed to be beneficial. And I do think it’s beneficial, but because seven zip didn’t respect it, I think people get a little bit comfortable with having windows be like, Oh, well, Hey, this file was downloaded when in reality, you should always be skeptical of every file that you download, whether you.
No, for a fact where it came from or not. Um, granted if it’s your file or if it’s coming from a colleague and you’re, and you’re expecting it or from a family member, okay, that’s fine. But in general, whenever downloading any kind of file from the internet or anything that isn’t controlled by you, you have to take it as a potential threat.
Now, something the article touches on, but I won’t go back into it. Is that a lot of the time, the smaller organizations, the smaller government entities are overlooked, less sat, less cyber savvy and more exposed to hacking. And I do find that to be true. If you think about the government entities that get hacked.
It’s generally not the big players, right? It’s not the three letter agencies in the US. It’s not the executive branch. It’s not the financial branch. They do get hacked. But I feel like more often than not, you have these smaller government entities. Think local government. Think a city council. Think a small government whose purview is regional or city based or sometimes even a district within a city within a region.
Or a county or et cetera, or sometimes state level. And it’s interesting because yeah, if you think about talent and about hiring, you’re not going to have the super dedicated cybersecurity professionals. Available for every single municipal government. You’re going to have a lot of good and talented people out there.
Sure. But a lot of talented people might go with the big letter agency or might go with the bigger government jobs because of the pay, or they could go private sector or researcher or et cetera. Right. And then you have the cybersecurity people that just are barely coming in and they’re learning a bunch of things.
You have the old guard, which. might be in corporate or et cetera, there’s a million reasons. But when you think about hiring in general, there’s tons of municipalities and tons of places that could use very good cyber security talent. And even then say you have some of the best cyber security talent.
This affects all users of the organization. If the organization is not prioritizing cyber security, which let’s face it, a small municipal government who is probably slightly or majorly underfunded. With a bunch of things to do and not enough time in the day to do it, then security is going to take a backseat.
And that’s just something I see, right? It’s larger government organizations and entities. tend to be more well established and well resource funded and have better manpower and generally more ways to mitigate some of these things. The smaller governments might be using older system, older equipment, not sufficient enough training and their people might not be as tech savvy as the upper ones because they can’t pay as well because they’re more municipal and local.
Not always, but that is observations I’ve seen. So with that, the first article is done. Let’s go ahead and jump into the next one. So another article by the hacker news malicious go package exploits module mirror caching for persistent remote access. So let’s give a little bit of background whenever you’re talking about, and this doesn’t apply just to go, but whenever you’re talking about any kind of package or any kind of library or anything that a piece of software can bring in, you’re talking about somebody else’s code.
There is no magic formula. It’s just somebody else’s code that’s been nicely packaged into something you can import. Now, Go has package, C Sharp has NuGet, C has libraries, etc, etc, etc. But all of these are just pieces of code that have been compiled and put into some kind of library that you can then download and import and pull stuff into your code from.
The problem with this is that the world is very big and there is a lot of things like typosquatting. There’s a lot of things like infected, uh, packages that are using different namings and just the trust of developers. And then you have stuff like supply chain attacks and other things. But even with all that, the benefits of a module or of a package or of a library far exceed the risk because.
If you’re trying to reinvent the wheel every single time, not only are you going to get it wrong a lot of the time across multiple developers, but then you’re wasting time and resources when there’s other problems you can be solving. Do you really need to recreate the same library a million times if it’s already been created and already been tested and verified that it works?
No, no, you, you don’t. So, with that, cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems. So, whenever you think of a supply chain attack, right, you’re essentially vulnerable to whoever or whatever you bring into your software.
Even as an IT organization, or any kind of organization. The software you bring in is just as much of a vulnerability as anything else can be. If you’re not properly securing your servers, that’s one vulnerability. If your developers are downloading things and there’s no security scanners or there’s no, uh, no kind of way to bet different packages, then you do open yourself up to a potential pwnage.
The package named github. com boltdb go forward slash bolt is a typosquat of the legitimate BoltDB database module per socket. The malicious version 1. 3. 1 was published to github in November 2021, following which it was cached indefinitely by the GoModuleMirror service. The GoModuleMirror service being a service that creates a copy of this package for use in multiple places.
Once installed, the backdoored package grants the thread actor remote access to the infected system, allowing them to execute arbitrary commands. What’s probably happening is there’s a function or something that always gets run in this package or this module, and that one phone home, phones home to some server and sends up a remote.
Uh, like a reverse shell, uh, a reverse shell being instead of you remoting into a server and accessing it, the server rings you and then gives you access to it sockets at the development marks. One of the earliest instances of a malicious actor abusing the go modules mirror indefinite caching of modules to trick users into downloading the package.
Subsequently, the attacker is said to have modified the git tags in the source repository in order to redirect them to the benign version. So, in computer science, in software engineering, in programming, there is a lot of known, hard problems to solve. And one of them is cache validation, or invalidation.
And the problem is that a cache is meant to speed up lookups, right? If you’re caching something, then the hope is that the cache is substantially faster than the lookup. thing you’re trying to access it from. So, a memory cache is going to be faster than a database disk cache. And a database disk cache should in theory be faster than tape.
And tape should be faster than a punch card. And so on and so forth. Well, because of caching You don’t always know when the cache is no longer valid. You have to maintain that cache, right? So, if you have updated information, in theory, you should be breaking your cache and let it get rebuilt at the next time it’s used.
Or, periodically breaking and rebuilding it. There’s multiple approaches. And each of them have pros and cons. We’re not going to talk about that today. The deceptive now I’m going to jump back into it. Oh, actually, before I jump back into it, the other part that I found interesting is they were changing the get tab, the get tags in the source repository.
Now you may be wondering why does that matter? Well, they’re essentially playing a little bit of sleight of hand. The module or the, the deployed out version of the library is infected. It has the malicious piece of code that will pwn you. And then they’re swapping out all the different things on GitHub to make it look like the benign version.
And the reason that’s bad, right? If you’re triaging some kind of infection, you’re triaging something and you go to the website, the GitHub of this, Specific module, through code, well, there won’t ever be anything because it’s already been updated to include this other thing, and yet the indefinite cache has this malicious copy stored away for everyone to use, which goes back to the to the cash problem, right?
You have this cash that doesn’t know when it should be broken. In this case, whenever that GitHub was updated in theory, that cash should have been broken and the package rebuilt and deployed out. Now, the deceptive approach ensured that a manual audit of the github repository did not reveal any malicious content while the caching mechanism and the unsuspecting developers installing the package used the go cli command line interface continued to download the backdoor variant.
So, this kind of goes back to knowing what you’re using, right? There’s stuff like the software bill of materials that was trying to be passed. There’s, everyone thinks they have the best way. But ultimately, this is one of the. One of the problems that comes down to the developers, more than the security team, more than IT, this comes down to the developers.
Be sure what you’re using, be sure that it’s repeatable, be sure it’s not a typo or a typo squatted thing, be sure that there’s enough background behind it that you know what’s, you know what you’re using. This still doesn’t guarantee That you won’t get hacked. Nothing is hack proof. I’ve said it before and I’ll say it again.
Nothing is hack proof, but make it as hard as possible. Really, you want the hackers to really have to work to get and pwn your system. Now, there is kind of a little bit more detail, but that’s kind of the rough, like, most of the article, right? Ultimately, it vetting their stuff and being careful for this and then it’s just It’s just interesting.
This kind of thing we see happen with NPM, although they, I don’t believe NPM has the indefinite caching mechanism. Um, and we see stuff with NPM. We see stuff with C sharp. I believe new good packages have the same issue anywhere. There’s a package that can be downloaded. It’ll probably get abused because developers don’t always want to reinvent the wheel and developers honestly shouldn’t be reinventing the wheel most of the time, but guys, I want to thank you for tuning in.
This has been your host Cipherceval. So of all, and I’ll see you in the next one.
Note: This is a transcript of the episode.
๐ข Connect with us:
Newsletter: https://follow.exploitbrokers.com
Twitter: @ExploitBrokers
Medium: https://medium.com/@exploitbrokers
TikTok: https://www.tiktok.com/@exploitbrokers
๐ References & Sources
- https://thehackernews.com/2025/02/malicious-go-package-exploits-module.html
- https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html
Leave a Reply