The right-to-left override attack may be unassuming but incredibly malicious. Most people have heard about phishing attacks, but they think that opening a file with the “.txt” extension is harmless.
What is a Right-to-Left Override Attack?
A right-to-left override (RTLO) attack takes advantage of user trust in text files and changes the text file extension to an “.exe” executable file. An RTLO attack is a sophisticated phishing method that tricks users into thinking that they are opening a harmless text file, but they instead open a malicious executable. It’s one of many ways ransomware authors get their malware installed on corporate computers.
The Right-to-Left Unicode 4Character
English speakers read left to right, but languages such as Arabic and Hebrew are read from right to left. Operating systems such as Windows must support global languages, including Arabic and Hebrew. By default, the operating system displays characters from left to right, but a special Unicode character tells the operating system to display characters from right to left when necessary.
The Unicode character to flip text right to left is represented as [U+202e] in writing, but it can be copied and pasted from the Windows character map. Type “character map” in the Windows 10 search textbox to open it. Check “Advanced View” and type “202e” in the “Go to Unicode” textbox. You can then click “Copy” to copy the character to the clipboard where you can paste it to a document. It’s a non-displayable character, so you won’t see anything when you paste it to a file.
The easiest way to demonstrate the right-to-left Unicode character is to create a file name similar to the following:
Now, change the name of the file and add the Unicode right-to-left character in the file name, like the following:
Note that you can copy the character from the Windows character map to ensure that it’s entered properly. Next, open the file properties by right-clicking the file and selecting “Properties” from the context menu. In this window, the file name will now display as:
If you notice the name change, all letters displayed after the Unicode character are reversed. It’s this operating system feature that can be used in phishing attacks to trick email systems into allowing executables to pass to a targeted user’s inbox and trick users into executing malware on their systems.
How Right-to-Left Override Attacks Work with Phishing
Email is one of the most popular attack vectors for threat actors. Many of the biggest data breaches start with a phishing email. Phishing emails can be used to trick users into divulging sensitive data such as authentication credentials, or they can be used to trick users into executing malicious software. An RTLO attack works with the latter of these two types.
The problem for attackers is getting past email cybersecurity. Most email clients and recipient servers block executable files. Some will even block zip files, but business email requires passing zip files to send multiple files in one attachment between employees and customers. Cybersecurity scanners have a hard time scanning zip files, and they can’t scan zip files protected behind a password. Attackers using RTLO leverage zip archives and occasionally password protect them. The password is sent in the email message to get it to the targeted victim so that the file can be opened.
Several executable files are used in malware attacks. A few file types include:
- .ps1 (PowerShell)
Most users know that a .txt file is harmless, so attackers use the text file extension to make users think that malicious files are harmless. Since the right-to-left Unicode character does not print a recognizable code to the screen, users do not realize that the file is really an executable and not a harmless text file.
Look at the file name below:
It looks like a harmless text file, but now add the Unicode right-to-left character:
The user does not see the Unicode character, because it’s an invisible character, but the operating system will detect it. When the user double-clicks the file to open it, the file name translates to:
The executable file runs, and any malware located in its code will run on the computer. If the file is a script, the script will run and execute commands, which could be anything from opening web pages to downloading malicious files from the internet. In some attack scenarios, malware such as ransomware is downloaded from the internet using scripts to avoid detection from email anti-malware systems.
Attackers take the malware executable file and zip it in an archive, which will then bypass email filters. Users open the zip archive, and then see a harmless text file, double-click it, and the payload is then delivered to the user’s desktop. In many attacks, Microsoft Office documents with malicious macros are used to download ransomware and install it on the user’s device.
Stopping RTLO Attacks
Many email clients will block RTLO attacks, but zip files with malicious executables slip through. Anti-malware software will also catch RTLO attacks, but users should be trained to look at file extensions and avoid opening files from strangers. However, Windows hides file extensions by default. Windows can be configured to show file extensions, which helps fight RTLO attacks.
Attackers can assign any icon they please to a file, so icons should not be used to determine file contents. To display file extensions in Windows explorer, type “folder options” in the Windows 10 search textbox to open the configuration window. In the Advanced Settings section, uncheck the option “Hide extensions for known file types” and click “Ok.” This setting takes effect immediately, and the file extension will show for all files in Explorer. You can test it by opening any folder and viewing the files.
To help with safeguarding systems from malware, always keep antivirus and antivirus software updated with the latest patches and updates. Should a user get tricked into opening the file, anti-malware software will catch many of the common malicious executables that pose a threat to business cybersecurity and data protection.
RTLO attacks are not as common and not well known, so it’s important that system administrators take necessary precautions to protect user devices. Configure Windows to show file extensions, and use email cybersecurity to block files with executable extensions and malicious content.
Easy Comprehensive Security
CybriantXDR give you full visibility across your entire organization. The number one way to mitigate the damage from any attack on your environment is to prevent it from happening in the first place. With CybriantXDR, our 24/7 team of security analysts will help you prevent, detect, and remediate so issues like right-to-left override attacks never fully execute in the first place.