02/04/2025 | News release | Distributed by Public on 02/04/2025 01:06
Once Платежное Поручение в iнозеной валюте.pdf.exe is executed, the SmokeLoader payload is also then executed, leading to malware infection and full system compromise.
Known Ukrainian organizations affected or targeted by the zero-day exploit
Based on the data we've uncovered, the following Ukrainian government entities and other organizations may have been directly targeted and/or affected by this campaign:
Note that this compilation of organizations impacted by the CVE-2024-0411 zero-day attack is not comprehensive; there is a significant likelihood that additional organizations may have been affected or targeted by the perpetrators.
It appears that some of the compromised email accounts may have been acquired from prior campaigns, and it is possible that newly compromised accounts will be incorporated into future operations. The use of these compromised email accounts lend an air of authenticity to the emails sent to targets, manipulating potential victims into trusting the content and their senders.
One interesting takeaway we noticed in the organizations targeted and affected in this campaign is smaller local government bodies. These organizations are often under intense cyber pressure yet are often overlooked, less cyber-savvy, and lack the resources for a comprehensive cyber strategy that larger government organizations have. These smaller organizations can be valuable pivot points by threat actors to pivot to larger government organizations.
Recommendations
To minimize the risks associated with CVE-2025-0411 and similar vulnerabilities, we recommend that organizations adhere to the following best practices:
Trend Vision One™
Trend Vision One™ is a cybersecurity platform that simplifies security and helps enterprises detect and stop threats faster by consolidating multiple security capabilities, enabling greater command of the enterprise's attack surface, and providing complete visibility into its cyber risk posture. The cloud-based platform leverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk insights, earlier threat detection, and automated risk and threat response options in a single solution.
Trend Vision One Threat Intelligence
To stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat Insights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats.
Hunting Queries
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
malName:*SMOKELOADER* AND eventName:MALWARE_DETECTION AND LogType: detection
More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled.
Conclusion
It is important that everyone using 7-Zip update to 7-Zip version 24.09 immediately, especially since CVE-2025-0411 has been under active exploitation since at least September 2024, with PoC concepts existing as well.
The exploitation of CVE-2024-0411 signifies another instance of a zero-day vulnerability being used in the context of the ongoing cyber front of the Russo-Ukrainian conflict. This situation illustrates the dynamic nature of the current cyber conflict, particularly the employment of advanced zero-day deployment techniques, notably through homoglyph attacks.
To the best of our knowledge, this represents the first occasion in which a homoglyph attack has been integrated into a zero-day exploit chain, thereby elevating concerns regarding the progression of such attacks beyond traditional methods such as credential harvesting, phishing, and website spoofing.
Furthermore, this campaign highlights the need for organizations to enhance their cybersecurity training programs by incorporating an understanding of homoglyph attacks, especially in relation to files, file extensions, and zero-day exploitation rather than limiting the focus to web spoofing alone. The ZDI Threat Hunting team engages in proactive efforts to identify zero-day exploitation in the wild, therefore safeguarding organizations against real-world threats prior to vendor awareness.
We'll be back with more findings as we have them. Until then, you can follow the ZDI team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
Indicators of Compromise
The indicators of compromise for this entry can be found here.