Among the many techniques employed by hackers to lure users into clicking on a malicious file, the “Right-to-Left Override” or RLO attack is an interesting form of obfuscation. It is designed to masquerade the file extension in order to trick unsuspecting users. If you couple this with changing the file icon of an executable or bat file to say a pdf, it will add to the illusion of authenticity.
What is Right-to-Left Override?
The Right-to-Left Override uses a Unicode character to change the direction of the rendered text. Specifically, the Unicode character U+202E is used to display all the characters that follow its placement within the text, in reverse order. For example, adding the Unicode character in the right location of a bat file named My-Secret-fdp.bat, will make the file name appear as a pdf file called My-Secret-tab.pdf.
Building a test executable
There are many ways to create an executable but in this example, we will setup the initial file using the JPS virus maker tool. This is only for demonstration purposes and was done within the EC-Council’s online lab environment. After starting the process, select a few innocent changes, like disabling Notepad,
Click the right arrow in the middle to go to the second page and select “PDF Icon” and “Create Virus”. Then click Exit.
In the directory where it was saved, you will see a Server.exe application listed with a pdf icon,
Now, bring up the Character Map tool, click Advanced view and in Go to Unicode, enter and search for 202E. Click Select and Copy.
Open a command prompt and navigate to the location where you created the file. This is also so you can see what the file name looks like within the terminal window,
Rename the Server.exe file by typing New_Building_Ann and then paste the U202E character followed by fdp.exe. If copied correctly, you will see it represented as a square with a question mark in the middle.
Now return back to the file explorer to see how it is represented,
View the file Properties and you can still see it listed as an executable,
After it was executed on a test virtual machine that was afterwards deleted, I verified that notepad would not start,
Final Thoughts
Remember, this should only be done in a lab environment for training purposes, so as to make admins and users aware of this particular technique. Although most email systems will block RTLO attachments and any XDR product will recognize and potentially stop it from executing, it can still be a concern if someone dropped it on a file share after getting internal access. Many companies may even allow internal mail relays where it could be trivial to forge an email from the inside to point to such a “document” on the file share.
Even though the Right-to-Left Override method has been around for many years, it is still not widely known among users and even admins. Because it is relatively obscure, this type of attack will continue to be used in the future and will probably morph into new deliverable forms.
The Network Logician 