Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.

A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been in many targeted intrusion attempts and criminal activity. RTLO can be used in the Windows Registry as well, where regedit.exe display the reverse characters but the command line tool reg.exe does not by default.


Using a tool called Extension Spoofer from henriksb (https://github.com/henriksb)

It uses the RTLO to spoof extensions and it as well masquerades the binary by changing its Icon.

The tool is very simple, Run, Choose your Payload and Apply the Spoof extension and the Source Extension.

We hit Generate and our original file will change with the new extension and spoofed name as well.

This was a simple demonstration on how to apply this methodology to trick users in believing they are opening another file this may trick the majority of users since they see an Icon unrelated to EXE and an Extension that is known to not be malicious (maybe).

Last updated