top of page
Writer's picturelamoonralyferversd

RTLO file extension change: A sneaky technique to hide malware



After my post about extensions, I received some requests to deal with another method of pretending to be a different type of file. If you have not read that article yet, it will prove helpful to do that first in order to better understand this post.




RTLO file extension change




On systems that support Unicode filenames, RTLO can be used to spoof fake extensions. To do this we need a hidden Unicode character in the file name, that will reverse the order of the characters that follow it.


Summary: RTLO is used to fake extensions by writing part of the filename or other descriptions back to front. Although the detection by your AV or Malwarebytes Anti-Malware is not altered in any way this trick can be deceiving users at first glance.


Unicode RTLO is an attack consisting into spoofing an extension by injecting a Unicode Right-To-Left-Override character (U+202E).This is possible because Unicode compatible applications will display all char after the RTLO char from right to left.For example, a file called: example[rtlo]fig.exe would be displayed as "exampleexe.gif" to the user. By changing the exe icon to the one of GIF you can easily guess how this becomes a security problem.This attack has been around for many years, there are already a lot of resources describing it (such as this one).


Its easy to create a filename spoofing an extension. I included this feature in MacroPack.For example, lets generate an HTA file running notepad using with a false ".png" extension:echo "cmd /c notepad.exe" macro_pack.exe -t CMD -G hello.hta --unicode-rtlo=png In explorer, the file will appear as "helloath.png" when in fact its really "hello[rtlo]gnp.hta"


There is more to say about spoofing file extension spoofing. From the attacker point of view, what is great with this attack is it works across multiple operating systems and applications. However, be aware that from one application to another, Unicode may be interpreted in different ways.


Most users know that a .txt file is harmless, so attackers use the text file extension to make users think that malicious files are harmless. Since the right-to-left Unicode character does not print a recognizable code to the screen, users do not realize that the file is really an executable and not a harmless text file.


Many email clients will block RTLO attacks, but zip files with malicious executables slip through. Anti-malware software will also catch RTLO attacks, but users should be trained to look at file extensions and avoid opening files from strangers. However, Windows hides file extensions by default. Windows can be configured to show file extensions, which helps fight RTLO attacks.


FIN7 APT group: They used a ZIP file as the spearphishing attachment in 2021 [23]. By double-clicking the email's attachment, the ZIP archive is decompressed, and a file with a long filename and a double extension (.txt.js) is opened. However, Windows hides .js by default, and the victim sees filename.txt. When the victim double-clicks the file, the JavaScript code is executed by the Windows Script Host.


Since Windows users are more careful with executable extension and pay less attention to safer extensions such as image formats, there are a couple of ways to trick the careless user into thinking that an EXE file is a JPG image file instead.


There is a setting in Folder Options where you can hide the file extension so that only the filename is visible in Explorer while the extension is hidden. The problem with this setting is the default option is set to hide and a less careful user can be tricked when there is a double extension. An example of a double extension is:


The file above is actually an executable file but is shown as notes.txt with the .exe hidden due to the Folder Option setting. The next step to make the file look more convincing is to change the file icon to Notepad icon. As you can see from the example image below, it looks like a normal text file.


This trick uses Right to Left unicode to reverse the last six characters so that the extension is spoofed. For example, a notes.exe file can be renamed to notesexe.txt. Although the file extension clearly shows as .txt in Explorer, the Windows operating system still recognizes the file as an application.


An older version of WinRAR 4.20 is vulnerable to file name and extension spoofing. This means you can modify the ZIP file created by WinRAR 4.20 using a hex editor to show a different filename and extension in the GUI but another different extension when it is run directly from the program. An example is a notes.exe file compressed into a notes.zip using WinRAR 4.20. Then using a hex editor, go to the end of the file and modify the notes.exe to notes.txt.


As a defense evasion technique, adversaries change features of their malicious artifacts with legitimate and trusted ones. Code signatures, names and location of malware files, names of tasks and services are some examples of these features. After masquerading, malicious artifacts of adversaries such as malware files appear legitimate to users and security controls.


This feature (!) is used by adversaries to trick users into opening malware files by showing the file extension as a benign extension instead of executable. This Masquerading sub-technique is commonly used with the Malicious File sub-technique of the T1204 User Execution ATT&CK technique [5] and Spearphishing Attachment sub-technique of the T1566 Phishing ATT&CK technique [6].


As a recent example, an APT group used the RLO technique to disguise an SCR (Windows screensaver) malware as a document file [8]. Adversaries also used a classic Right-to-Left Override attack to trick Telegram users by changing displayed file extension [9]. For example, a JS malware file is renamed as follows: my_photo_U+202Egnp.js Where U+202E is the RLO character to make Telegram display the remaining string gnp.js in reverse, sj.png. Then, the adversary sends the message, and the recipient sees an incoming PNG image file instead of a JS JavaScript file.


Adversaries frequently utilize Windows system utilities in their operations to bypass defensive security controls. Rundll32.exe, cmd.exe, andcertutil.exe are some of these utilities. Because of the increased use of legitimate system utilities by adversaries, security tools may monitor them to detect their suspicious use. To avoid name-based detection, adversaries may rename system utilities. For example, threat actors of Operation Soft Cell changed the name of the cmd.exe as cdm.exe [11]. Korplug malware, which is leveraging the COVID-19 pandemic to spread, is using a renamed certutil.exe - msoia.exe to decode the CAB file [12].


Moreover, adversaries change icons of their malware with icons of benign files. As an example, Pony Trojan used a well-known Adobe Reader icon and the filename security or infos to look trustworthy [20].


Associating a certain extension to a file type is possible just by setting some values in interface or in Registry so files with a certain extension are treated as files with completely different extensions (particularly executables are of great interest here). For instance, when double clicking a JPG file, the system will try to execute it just like an application, rather than sending it to whatever photo viewer you may have installed on your PC. More to the point, the attacker only has to take a virus, change its extension from EXE to JPG, then send it to your compromised computer for viewing. You may believe that this is a JPG, but your system will know better and thus treat it like a regular exe file.


This method doesn`t really imply any tricks as the file extension is in plain view. However, making use of the vulnerability of various file formats, an exploit can execute code, initialize a file that was either on the disk or downloaded from the Internet. For instance, opening a rigged PDF file will drop and install a piece of malware without the user even realizing that something is something wrong.


Most users know that text files with .txt extension are harmless. When email clients and Windows load a file with the .txt extension, they display the popular Notepad icon, which indicates that the file should be harmless text.


In the email security game between hackers and users, adversaries employ various forms of masquerading with a file to increase the likelihood that a user will open it. While Right-to-Left Override (RLO) attack is an old technique to trick users into executing a file with a disguised extension, this spoofing method is back with new purposes. Vade has detected more than 400 such attacks in the last two weeks.


In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions, with its distribution still being continued to this day.


Note: As file extensions, e.g. EXE and SCR, when using the RTLO markare displayed vice versa, i.e. EXE and RCS (in a traditional technique withoutobscuring the original extension with different methods), criminals often usewords that have the above ends (or similar), e.g. EXE and SCR: Annexe, Forexe, Reflexe, Arcs, Orcs, Marcs.


From a detection perspective, it would be possible to look for file write events where the target path matches the OneNote directory mentioned above. A first approach would be to look only for specific file extensions as it could easily lead to a concerning amount of false positives.


One thing to note (no pun intended) is that the integer after the NT part of the path is an incremental value that changes depending on how many attachments the user clicks from the same OneNote file; therefore that value should be considered non-static for detection engineering purposes.


Another interesting edge-case is when the attackers spoof the extension of the file using the Right-to-Left Override (RTLO) technique ( -Defender-and-other-thoughts-on-Unicode-RTLO-attacks). In this case, despite the process-tree will remain the same, the file name found in the file-write event might not reflect the actual content of the dropped file. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Baixar copa do mundo final 2022

Baixar Final da Copa do Mundo de 2022 A Copa do Mundo da FIFA é o maior e mais prestigiado torneio de futebol do mundo. A cada quatro...

Commentaires


bottom of page