Right-to-Left Override

Information

• Name: Right-to-Left Override

• ID: T1036.002

• Tactics: TA0005

• Technique: T1036

Introduction

The Right-to-Left Override (RTLO) sub-technique (T1036.002) is categorized under the "Masquerading" technique (T1036) within the MITRE ATT&CK framework. RTLO leverages Unicode characters designed to support languages written from right to left, such as Arabic or Hebrew, to disguise file names and extensions. Attackers exploit this Unicode control character to trick users into executing malicious files by visually reversing part of the filename, thus masking the real file type and misleading users into believing the file is safe.

Deep Dive Into Technique

The Right-to-Left Override technique exploits the Unicode character U+202E, which instructs the system to render subsequent characters from right to left. Attackers insert this Unicode character into filenames to obscure the actual file extension. For example, a filename like "Invoiceexe.doc" can become "Invoicedoc.exe" visually, misleading users into believing the file is a harmless Word document rather than an executable.

Technical steps involved:

• Attacker selects a malicious executable file (e.g., malware.exe).

• Attacker renames the file, inserting the Unicode RTLO character (U+202E) at a strategic point in the filename.

• The file extension visually reverses when displayed in Windows Explorer or other file browsers, deceiving users into believing it is a benign file type (e.g., "malwareexe.pdf" visually appears as "malwarefdp.exe").

• Users, unaware of the hidden extension, execute the malicious file, initiating the attacker's payload.

Real-world procedures typically involve:

• Email phishing campaigns delivering attachments disguised through RTLO.

• Malicious files distributed via social engineering, instant messaging, or file-sharing platforms.

• Malicious executables hidden as seemingly legitimate documents or media files.

When this Technique is Usually Used

The Right-to-Left Override sub-technique is predominantly observed in the following attack scenarios and stages:

• Initial Access Stage:

  • Phishing attacks delivering malicious attachments disguised as legitimate documents (e.g., invoices, resumes, reports).

  • Social engineering campaigns where attackers share files via messaging platforms or cloud storage services, deceiving users into downloading and executing malicious files.

• Execution Stage:

  • Attackers leverage RTLO to trick users into manually running malware disguised as legitimate files, initiating the execution phase.

• Persistence & Defense Evasion:

  • Attackers may use RTLO to maintain persistence by disguising malicious scripts or executables as harmless files, preventing users from identifying and removing threats.

Common scenarios include:

• Targeted phishing emails sent to corporate employees with disguised malicious attachments.

• Attacks against users unfamiliar with Unicode manipulation, increasing the likelihood of successful deception.

• Distribution of malware in public file-sharing forums or social media platforms, exploiting user trust.

How this Technique is Usually Detected

Detection of RTLO-based masquerading involves multiple layers of security measures, including:

• Endpoint Protection Solutions:

  • Antivirus and endpoint detection and response (EDR) products that specifically detect and alert on files containing Unicode RTLO characters in filenames.

  • Behavioral analysis modules that detect suspicious file execution patterns.

• Email Security Gateways:

  • Email filtering tools configured to detect and block attachments containing Unicode RTLO characters.

  • Analysis of attachment filenames and metadata for Unicode anomalies.

• Security Information and Event Management (SIEM) Systems:

  • Correlation rules and alerts configured to detect creation, download, or execution of files containing Unicode RTLO characters.

  • Monitoring logs for anomalies in filenames, especially those containing Unicode control characters.

• Manual Inspection and User Training:

  • Training users to recognize suspicious filenames or unexpected file types.

  • Regular audits of file repositories and storage systems for hidden RTLO filenames.

Specific Indicators of Compromise (IoCs) include:

• Filenames containing the Unicode RTLO character (U+202E).

• Suspicious file extensions visually reversed (e.g., ".cod.exe" appearing as ".exe.doc").

• Unusual file execution events correlating with filenames containing Unicode control characters.

• Email attachments flagged by security solutions due to Unicode anomalies.

Why it is Important to Detect This Technique

Early detection of the Right-to-Left Override technique is critical because of its potential impacts on systems and networks:

• User Deception and Malware Execution:

  • Users unknowingly executing malicious files can lead to malware infections, ransomware attacks, or data breaches.

• Bypassing User Awareness and Training:

  • RTLO significantly reduces the effectiveness of traditional user awareness training by visually deceiving users into believing malicious files are legitimate.

• Initial Access for Advanced Attacks:

  • RTLO is often employed as an initial entry vector, enabling attackers to establish footholds within networks, potentially leading to advanced persistent threats (APTs).

• Data Exfiltration and Espionage Risks:

  • Successful execution of disguised malware can result in unauthorized data exfiltration, espionage, or intellectual property theft.

• Reputation and Financial Damage:

  • Organizations suffering breaches due to RTLO-based attacks face potential regulatory fines, legal implications, and significant reputational harm.

Early detection and mitigation measures help organizations:

• Prevent initial malware execution and reduce attack surface.

• Minimize the risk of data breaches and unauthorized access.

• Strengthen overall security posture and resilience against social engineering attacks.

Examples

Real-world examples and attack scenarios involving Right-to-Left Override:

• Phishing Campaign Targeting Financial Institutions (2019):

  • Attackers sent emails containing attachments named "Invoiceexe.doc" with an embedded RTLO character, visually appearing as "Invoicedoc.exe".

  • Upon execution, the malicious executable installed banking trojans, capturing sensitive financial data and credentials.

• Ransomware Delivery via RTLO (2020):

  • Cybercriminals distributed ransomware disguised as PDF files ("Paymentfdp.exe" appeared as "Paymentpdf.exe") via email campaigns targeting corporate users.

  • Users who executed the disguised file inadvertently installed ransomware, causing widespread operational disruption and financial loss.

• APT Group Leveraging RTLO in Targeted Attacks (2021):

  • A state-sponsored threat group utilized RTLO to disguise malicious payloads as legitimate documents, targeting government officials and diplomats.

  • Successful execution resulted in espionage activities, data exfiltration, and persistent access to sensitive governmental networks.

Commonly used tools and methods include:

• Freely available Unicode manipulation tools and scripts to insert RTLO characters into filenames.

• Exploitation of standard email clients and file browsers that render filenames visually reversed, exploiting user trust.

• Malware families frequently delivered via RTLO include banking trojans (e.g., TrickBot, Emotet), ransomware variants (e.g., REvil, Locky), and remote access trojans (RATs).

Impacts of successful RTLO attacks:

• Compromise of sensitive data and credentials.

• Operational disruption due to ransomware infections.

• Persistent unauthorized access to critical systems and networks.

• Financial losses, regulatory penalties, and reputational damage.