Masquerading: Right-to-Left Override

Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.[1] For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.

A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.[2][3] RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.

ID: T1036.002
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Data Sources: File monitoring
Version: 1.0
Created: 10 February 2020
Last Modified: 29 March 2020

Procedure Examples

Name Description
BlackTech

BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.[4]

BRONZE BUTLER

BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.[5]

Ke3chang

Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[6]

Scarlet Mimic

Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.[7]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Detection methods should include looking for common formats of RTLO characters within filenames such as \u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.

References