Full Report
Overview Mark of the Web (MoTW) is a Windows feature that identifies files downloaded from the Internet and displays a security warning, as well as restricts the files to be executed with a warning message or in a protected mode. However, threat actors have been bypassing Mark of the Web (MoTW) in various ways, utilizing […]
Analysis Summary
# Vulnerability: Multiple Mark of the Web (MoTW) Bypass Flaws
## CVE Details
- CVE ID: CVE-2025-0411, CVE-2024-38217, CVE-2024-38213
- CVSS Score: Severity scores were not specified in the text for any of the CVEs.
- CWE: Not explicitly provided, but related to improper resource identification/handling.
## Affected Systems
- **Products:** Microsoft Windows, 7-Zip utility, WebDAV implementation.
- **Versions:**
- **CVE-2025-0411 (7-Zip Bypass):** 7-Zip versions before 24.09.
- **CVE-2024-38217 (LNK Stomping):** Windows systems (implied).
- **CVE-2024-38213 (Copy2Pwn/WebDAV):** Windows systems referencing files from WebDAV shares.
- **Configurations:** Specific configurations are the methods of file transfer or handling (e.g., creating double-compressed archives, using specific shortcut naming conventions, or copying files from WebDAV shares).
## Vulnerability Description
The Mark of the Web (MoTW) feature in Windows applies an NTFS Alternate Data Stream (`Zone.Identifier`) to files downloaded from the internet, triggering security warnings or Protected View. Multiple vulnerabilities allow threat actors to bypass this mechanism, executing files without warnings:
1. **CVE-2025-0411 (7-Zip):** In versions prior to 24.09, the MoTW flag is not correctly propagated for files contained within *double-compressed* archives handled by 7-Zip.
2. **CVE-2024-38217 (LNK Stomping):** When a Windows shortcut (`.lnk`) file points to an executable with trailing characters (e.g., `program.exe.`), Windows modifies the path internally during saving, causing the MoTW to be stripped from the resulting shortcut entry.
3. **CVE-2024-38213 (Copy2Pwn):** Files copied directly from a WebDAV shared folder bypass the Windows Explorer process that typically applies the MoTW flag.
## Exploitation
- **Status:**
- **CVE-2025-0411:** Exploited in the wild as a zero-day since September 2024, targeting Ukrainian organizations with malware like SmokeLoader.
- **CVE-2024-38217:** Exploited by threat actors for years.
- **CVE-2024-38213:** Exploited in actual attacks, such as the DarkGate campaign.
- **Complexity:** Implied to be Low-to-Medium given active exploitation by various threat actors.
- **Attack Vector:** Network (downloading via compressed files or WebDAV) and Local (interacting with shortcut files).
## Impact
- **Confidentiality:** High Potential (e.g., LummaStealer used in WebDAV attacks aims to steal sensitive data).
- **Integrity:** High Potential (Allows execution of arbitrary malicious code).
- **Availability:** Medium to High Potential (Malware execution leading to system compromise or disruption).
## Remediation
### Patches
- **CVE-2025-0411:** Update 7-Zip to version 24.09 or later.
- **CVE-2024-38217 & CVE-2024-38213:** Apply relevant cumulative/security updates from Microsoft that address these operating system handling flaws (specific patch version not listed).
### Workarounds
- Avoid opening suspicious files originating from compressed archives (especially nested ones).
- Refrain from copying files directly from WebDAV shares unless sources are fully trusted.
- Use specific naming conventions for LNK files to avoid triggering the stomping behavior, or rely on host-based detection mechanisms that do not solely depend on the MoTW flag.
## Detection
- **Indicators of Compromise:** Presence of malware such as SmokeLoader or LummaStealer following file access from unusual sources.
- **Detection Methods and Tools:** Monitoring for successful file execution that was not preceded by expected security warnings (SmartScreen or Protected View). Security software should be used to check file sources based on the MoTW property, although bypasses limit reliance on this single attribute. (Subscription to AhnLab TIP provides access to IOCs).
## References
- MITRE ATT&CK – Mark of the Web: hxxps://attack.mitre.org/techniques/T1553/005/
- Trend Micro Advisory (CVE-2025-0411): hxxps://www.trendmicro.com/en-us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html
- Elastic Security (CVE-2024-38217): hxxps://www.elastic.co/security-labs/dismantling-smart-app-control
- Veriti Research (CVE-2024-38213): hxxps://www.veriti.ai/blog/veriti-research/cve-2024-38213