Secondary Categories: 02-Malware
Description:
In order to spoof a file extension you can use right to left override (RTLO). Essentially this allows those who read in Arabic or Hebrew to read the text right to left. You can leverage this funtionality by using UNICODE characters to trick windows into thinking it is a png and not a exe.
For example if you have the file βThisIsRTLOdoc.exeβ you can insert the unicode character below to show βThisIsRTLOexe.docβ
U+202e
Some email application and service will block the technique. Although many email providers cant reliably scan archive or zipped files.
In order to use this you can use the Character Map
When creating a new document you can view its properties and change the name. Renaming the file `TestingRTLO[U+202E]xcod.txt
File types that would work well with this technique is:
- .bat
- .exe
- .cmd
- .com
- .lnk
- .pif
- .scr
- .vb
- .vbe
- .vbs
- .wsh
Warning!
Most EDR solutions can detect this type of spoofing and
Remediation
You can use the view set to βContentβ
Alternative
An alternative is just use Resource Hacker and spoof the properties and Icon.
Resources:
| Title | URL |
|---|---|
| InfoSec Institute | https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ |
Also Check Out:
- Placeholder