A sophisticated cyberattack campaign has been identified targeting the First Ukrainian International Bank, utilizing the SmokeLoader malware to distribute infostealer payloads. This operation leverages weaponized 7z archive files as the initial attack vector, leading to a complex infection chain that culminates in the deployment of malicious software designed to steal sensitive information.
Initial Attack Vector: Weaponized 7z Archives
The attack begins with deceptive emails containing 7z archive files named ‘Платіжна_інструкция.7z’ (translated as ‘Payment_instruction’). Upon extraction, victims encounter a seemingly innocuous PDF document alongside a malicious shortcut file. This shortcut file initiates the infection sequence by retrieving additional components from remote servers, specifically at IP addresses 194.87.31.68 and 88.151.192.165.
Infection Mechanism: Emmenhtal Loader and SmokeLoader Malware
The infection mechanism employs a stealthy malware loader known as Emmenhtal, active since early 2024. Emmenhtal serves as the distribution mechanism for infostealers, including CryptBot and Lumma. In the current campaign, it is specifically chained with SmokeLoader malware.
When the victim opens the malicious shortcut file, it triggers a chain utilizing PowerShell and Mshta to download malicious code. The attack leverages a modified version of Windows’ built-in DCCW.exe (Display Color Calibration Wizard), exemplifying a Living Off the Land Binaries and Scripts (LOLBAS) technique that minimizes detection footprint.
The malicious HTA script contains obfuscated JavaScript that decodes to reveal additional PowerShell commands. The PowerShell component downloads two files: a lure PDF (invoce1202.pdf) and the SmokeLoader malware (putty1202.exe).
SmokeLoader Capabilities and Evasion Techniques
Once executed, SmokeLoader exhibits modular capabilities, including credential theft from browsers, remote command execution from its command-and-control (C2) server, and process injection techniques for evading detection and analysis. Analysis reveals the use of .NET Reactor for obfuscation, representing a shift from SmokeLoader’s historical use of other packers.
Exploitation of 7-Zip Vulnerability: CVE-2025-0411
The attackers exploit a vulnerability in the popular file archiver 7-Zip, tracked as CVE-2025-0411. This high-severity vulnerability (CVSS score: 7.0) allows attackers to bypass Windows’ Mark-of-the-Web (MoTW) security mechanism. MoTW is a critical feature that flags files downloaded from untrusted sources, enabling additional security checks by tools like Microsoft Defender SmartScreen and Microsoft Office Protected View.
The flaw arises because earlier versions of 7-Zip (before version 24.09) failed to propagate the MoTW flag to files extracted from nested archives. This oversight enables attackers to craft malicious archives that evade MoTW protections, allowing harmful scripts or executables to run without triggering security warnings.
Exploitation in the Wild
Russian cybercrime groups have weaponized the CVE-2025-0411 vulnerability, likely as part of cyberespionage campaigns amid the ongoing Russo-Ukrainian conflict. These groups have used spear-phishing emails to distribute double-archived malicious files.
A particularly deceptive technique employed is homoglyph attacks, where file extensions are spoofed using visually similar characters (e.g., replacing the Latin c with the Cyrillic Es) to trick users into believing the file is legitimate.
For example, attackers distributed an outer archive named Документи та платежи.7z (translated as Documents and Payments), containing an inner archive spoofed as a Microsoft Word document with an extension like Спiсок.doс. Upon extraction and execution of these files, SmokeLoader malware was deployed onto victim systems.
Mitigation Strategies
To protect against CVE-2025-0411 and similar threats, organizations should implement the following measures:
1. Update Software: Ensure all systems are running 7-Zip version 24.09 or later, which addresses this vulnerability.
2. Email Security: Deploy robust email filtering solutions to block spear-phishing attempts.
3. Employee Training: Educate employees on recognizing phishing emails and homoglyph attacks.
4. Restrict File Execution: Disable automatic execution of files from untrusted sources and enforce verification prompts.
5. Endpoint Protection: Use endpoint protection tools capable of identifying and blocking malicious file activity.
6. Network Monitoring: Look for unusual patterns indicative of malware communication with C2 servers.
Organizations must act swiftly to mitigate potential threats, especially given the sophisticated techniques employed by attackers in this campaign.
