Right-to-Left Override (RTLO) Masquerading
Adversaries use the Right-to-Left Override (RTLO) character in filenames to disguise malicious files and trick users into executing them, leading to potential malware infection and system compromise.
The Right-to-Left Override (RTLO) character (U+202E) is a Unicode character that reverses the display order of text. Attackers exploit this character in filenames to disguise malicious executables, making them appear as benign file types (e.g., evil.pdf.exe displayed as evil.exe.pdf). This technique, known as RTLO masquerading, aims to deceive users into executing malware. This activity has been observed across various threat actors and campaigns, targeting Windows systems primarily. Detection of RTLO character usage is critical to preventing user execution of malicious payloads. This behavior has been observed as early as 2015 and continues to be relevant as of 2024.
Attack Chain
- The attacker crafts a malicious executable with a filename containing the RTLO character (e.g.,
evil.fdp.exe). - The attacker distributes the disguised file via a phishing email or compromised website.
- The user receives the file and, due to the RTLO character, sees the filename as
evil.exe.fdp, mistaking it for a PDF document. - The user double-clicks the disguised file, initiating its execution.
- The malicious executable runs with the user's privileges.
- The malware performs malicious actions, such as installing backdoors, stealing data, or encrypting files.
Impact
Successful exploitation leads to the execution of arbitrary code on the victim's machine, potentially resulting in data theft, system compromise, or ransomware infection. The impact can range from individual system infections to widespread organizational breaches. While precise victim counts are difficult to ascertain, RTLO masquerading remains a common social engineering tactic, affecting numerous users across various sectors.
Recommendation
- Deploy the Sigma rule "File with Right-to-Left Override Character (RTLO) Created/Executed" to your SIEM and tune for your environment, focusing on
file.pathandprocess.namefields. - Enable Sysmon process-creation and file-creation logging to provide the necessary data for the Sigma rule to function effectively.
- Educate users about the dangers of RTLO masquerading and encourage them to be cautious when opening files, especially those with unusual or reversed filenames.
Detection coverage 3
File Creation with Right-to-Left Override Character (RTLO)
mediumDetects creation of files with names containing the Right-to-Left Override (RTLO) character.
Process Execution with Right-to-Left Override Character (RTLO)
mediumDetects execution of processes with names containing the Right-to-Left Override (RTLO) character.
Process Command Line with Right-to-Left Override Character (RTLO)
mediumDetects process execution with command line containing the Right-to-Left Override (RTLO) character.
Detection queries are available on the platform. Get full rules →