T1036.002: Right-to-Left Override
Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \u202Excod.scr
will display as March 25 rcs.docx
. A JavaScript file named photo_high_re\u202Egnp.js
will be displayed as photo_high_resj.png
.
Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity. RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-2023: RTLO_Symbol_Usage: An attacker can use the RLO symbol to disguise the file name and make a user run this file
mitre_attck_defense_evasion: PT-CR-2024: ExtensionSpoofer_Usage: Possible use of the ExtensionSpoofer utility that allows changing the program icon and spoofing the program extension
mitre_attck_initial_access: PT-CR-2301: Suspicious_File_Creation_From_Messenger_or_Mail: A file with a suspicious extension was created on behalf of an instant messenger or email program, or malicious file activity was detected. This may indicate a phishing attack or malware being delivered to user's computer.
Detection
ID | DS0022 | Data source and component | File: File Metadata | Description | Monitor for common formats of RTLO characters within filenames such as \u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it. |
---|