Secondary Categories: 02-Malware


Description:

In order to spoof a file extension you can use right to left override (RTLO). Essentially this allows those who read in Arabic or Hebrew to read the text right to left. You can leverage this funtionality by using UNICODE characters to trick windows into thinking it is a png and not a exe.

For example if you have the file β€œThisIsRTLOdoc.exe” you can insert the unicode character below to show β€œThisIsRTLOexe.doc”

U+202e

Some email application and service will block the technique. Although many email providers cant reliably scan archive or zipped files.

In order to use this you can use the Character Map

When creating a new document you can view its properties and change the name. Renaming the file `TestingRTLO[U+202E]xcod.txt

File types that would work well with this technique is:

  • .bat
  • .exe
  • .cmd
  • .com
  • .lnk
  • .pif
  • .scr
  • .vb
  • .vbe
  • .vbs
  • .wsh

Warning!

Most EDR solutions can detect this type of spoofing and

Remediation

You can use the view set to β€œContent”

Alternative

An alternative is just use Resource Hacker and spoof the properties and Icon.


Resources:

Also Check Out:

  • Placeholder