Potential File Extension Spoofing Using Right-to-Left Override

 1title: Potential File Extension Spoofing Using Right-to-Left Override
 2id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
 3related:
 4    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
 5      type: derived
 6status: test
 7description: |
 8        Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
 9references:
10    - https://redcanary.com/blog/right-to-left-override/
11    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
12    - https://tria.ge/241015-l98snsyeje/behavioral2
13    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
14author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2024-11-17
16modified: 2025-02-06
17tags:
18    - attack.execution
19    - attack.defense-evasion
20    - attack.t1036.002
21logsource:
22    category: file_event
23    product: windows
24detection:
25    selection_rtlo_unicode:
26        TargetFilename|contains:
27            - '\u202e'  # Unicode RTLO character
28            - '[U+202E]'
29    selection_extensions:
30        TargetFilename|contains:
31            - '3pm.'  # Reversed `.mp3`
32            - '4pm.'  # Reversed `.mp4`
33            - 'cod.'  # Reversed `.doc`
34            - 'fdp.'  # Reversed `.pdf`
35            - 'ftr.'  # Reversed `.rtf`
36            - 'gepj.'  # Reversed `.jpeg`
37            - 'gnp.'  # Reversed `.png`
38            - 'gpj.'  # Reversed `.jpg`
39            - 'ism.'  # Reversed `.msi`
40            - 'lmth.'  # Reversed `.html`
41            - 'nls.' # Reversed `.sln`
42            - 'piz.'  # Reversed `.zip`
43            - 'slx.'  # Reversed `.xls`
44            - 'tdo.'  # Reversed `.odt`
45            - 'vsc.'  # Reversed `.csv`
46            - 'vwm.'  # Reversed `.wmv`
47            - 'xcod.'  # Reversed `.docx`
48            - 'xslx.'  # Reversed `.xlsx`
49            - 'xtpp.'  # Reversed `.pptx`
50    condition: all of selection_*
51falsepositives:
52    - Filenames that contains scriptures such as arabic or hebrew might make use of this character
53level: high

References

• Right-to-Left Override: Detecting Attacks With EDR Data

  

  Our Security Operations team loves to share insights on TTPs when we see them in the wild. Today an oldie but a goodie: right-to-left override attacks.

  
  Read More

• The RTLO method | Malwarebytes Labs

  

  RTLO can be used to spoof fake extensions. Learn how malware writers are using this old trick to spread malware.

  
  Read More

• https://tria.ge/241015-l98snsyeje/behavioral2

  
  Read More

• %PDF-1.6 %âãÏÓ 1650 0 obj endobj xref 1650 87 0000000016 00000 n 0000003512 00000 n 0000003652 00000 n 0000003832 00000 n 0000003893 00000 n 0000003931 00000 n 0000003977 00000 n 0000004026 00000 n...

  
  Read More

Related rules

• MMC Executing Files with Reversed Extensions Using RTLO Abuse
• MMC Loading Script Engines DLLs
• Potential Defense Evasion Via Right-to-Left Override
• UNC4841 - Barracuda ESG Exploitation Indicators
• Potential Arbitrary Command Execution Via FTP.EXE