RTLO File Extension Change
Sylvia Heidemann
After my post about extensions, I received some requests to deal with another method of pretending to be a different type of file. If you have not read that article yet, it will prove helpful to do that first in order to better understand this post.
On systems that support Unicode filenames, RTLO can be used to spoof fake extensions. To do this we need a hidden Unicode character in the file name, that will reverse the order of the characters that follow it.
Summary: RTLO is used to fake extensions by writing part of the filename or other descriptions back to front. Although the detection by your AV or Malwarebytes Anti-Malware is not altered in any way this trick can be deceiving users at first glance.
Though most endpoint security solutions like antivirus detect this type of spoofing, and some IRC clients even change the crafted malicious links back to original form, many mail applications don't or can't reliably scan archived and zipped documents, and the malicious files manipulated in this way are indeed being spammed out within zip archives. The biggest example of this is in the usage of the backdoor "Etumbot". Some features of Windows also help to carry this type of attack, such as Windows hides the file extensions by default. Malicious individuals can set any icon they want for let's say a .exe file. A file named pic.jpg.exe using the standard image icon will look like a harmless image with Windows' default settings.
Unicode RTLO is an attack consisting into spoofing an extension by injecting a Unicode Right-To-Left-Override character (U+202E).This is possible because Unicode compatible applications will display all char after the RTLO char from right to left.For example, a file called: example[rtlo]fig.exe would be displayed as "exampleexe.gif" to the user. By changing the exe icon to the one of GIF you can easily guess how this becomes a security problem.This attack has been around for many years, there are already a lot of resources describing it (such as this one).
Its easy to create a filename spoofing an extension. I included this feature in MacroPack.For example, lets generate an HTA file running notepad using with a false ".png" extension:echo "cmd /c notepad.exe" macro_pack.exe -t CMD -G hello.hta --unicode-rtlo=png In explorer, the file will appear as "helloath.png" when in fact its really "hello[rtlo]gnp.hta"
There is more to say about spoofing file extension spoofing. From the attacker point of view, what is great with this attack is it works across multiple operating systems and applications. However, be aware that from one application to another, Unicode may be interpreted in different ways.
Disttrack: The Disttrack wiper malware creates a service named ntssrv, with a display name of "Microsoft Network Realtime Inspection Service" and a description of "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols" [17].
FIN7 APT group: They used a ZIP file as the spearphishing attachment in 2021 [23]. By double-clicking the email's attachment, the ZIP archive is decompressed, and a file with a long filename and a double extension (.txt.js) is opened. However, Windows hides .js by default, and the victim sees filename.txt. When the victim double-clicks the file, the JavaScript code is executed by the Windows Script Host.
This virus falsifies its file name extension by using a Unicode control character, so that such a malignant file looks like benign one. Unicode refers to a standard for consistent encoding, representation and handling of text expressed in languages in the world. Control characters are characters that are defined in character code but are not displayed on the screen, and used to control devices such as printers and communication devices.
The RLO character can be specifically positioned in the filename to spoof or masquerade a file as having a filename or file extension that is different than what it actually has. (Will still be hidden even if 'Hide extensions for known filetypes' is unchecked.)
Malicious actors may try to change the name of a task or service in order to make it appear legitimate or benign. Tasks/services run by Task Scheduler or systemd are usually given a name and/or description. Windows services will have both a service name and a display name. There are innumerable benign tasks and services that have commonly associated names that are similar or identical to legitimate ones. Other fields, such as description, may be used by adversaries to make tasks or services appear legitimate.
Associating a certain extension to a file type is possible just by setting some values in interface or in Registry so files with a certain extension are treated as files with completely different extensions (particularly executables are of great interest here). For instance, when double clicking a JPG file, the system will try to execute it just like an application, rather than sending it to whatever photo viewer you may have installed on your PC. More to the point, the attacker only has to take a virus, change its extension from EXE to JPG, then send it to your compromised computer for viewing. You may believe that this is a JPG, but your system will know better and thus treat it like a regular exe file.
This method doesn`t really imply any tricks as the file extension is in plain view. However, making use of the vulnerability of various file formats, an exploit can execute code, initialize a file that was either on the disk or downloaded from the Internet. For instance, opening a rigged PDF file will drop and install a piece of malware without the user even realizing that something is something wrong.
In the email security game between hackers and users, adversaries employ various forms of masquerading with a file to increase the likelihood that a user will open it. While Right-to-Left Override (RLO) attack is an old technique to trick users into executing a file with a disguised extension, this spoofing method is back with new purposes. Vade has detected more than 400 such attacks in the last two weeks using a Microsoft 365 phishing email.
Right-to-Left Override (RLO) is a non-printing Unicode character [U+202e] mainly used to support Hebrew and Arabic languages. Indeed, this character flips and changes all subsequent text to be right-to-left when displayed, instead of English's left-to-right reading order.
Most users know that text files with .txt extension are harmless. When email clients and Windows load a file with the .txt extension, they display the popular Notepad icon, which indicates that the file should be harmless text.
Before beginning, realize this is not changing a file type, it is only changing the file extension. Additionally, this walkthrough approach is intentionally using the command line and is thus aimed at more advanced users. However, the Terminal is not the only way to do this, and so if this is too advanced or irrelevant to your user skill set then recall that Mac OS offers simple tools to both batch rename files in Mac OS and batch change file extensions in the Finder as well, neither of which requires the command line at all. OK? Alright on to the command line approach using a simple one line bash script.
Know of a better way to change a bunch of file extensions of files in a directory via the command line? Just want to browse through some other great command line tips (go here)? Let us know your thoughts in the comments!
Linux, like Windows, has a binary executable format. Windows has the PE format, Linux the ELF format. Unices in general have a much less pronounced file extension requirement, so ELF files usually are extension-less. Linux uses Magic Numbers to identify those files, which is why it doesn't need the extensions.
Extensions and executables have little or nothing to do with each other on Windows or Linux, and extensions have nothing at all to do with virus's. When given an explicit file to act on, both operating systems look at the file's header to decide what to do with it. When there is ambiguity in the file name, the two OS's use slightly different strategies to identify the intended target. For example, if you type "echo hello" into the windows run box, the windows terminal or a linux terminal, both will look in each directory in the PATH environment variable for a file called "echo" that has execute permission and attempt to execute it with the argument "hello". Windows will also look for the file "echo.com", "echo.exe", "echo.bat", "echo.cmd", "echo.vb" and a bunch of other extensions that I can't remember off hand, plus any extensions mentioned in the PATHEXT environment variable, before it moves on to the next directory and if it finds a match, it will attempt to execute that.
Regardless of the placement of the PHP code(I've tried just php code, php code pasted at the end of the image file, php code in EXIF headers etc), the website just shows the image file when I open it after uploading (or an error in the case of plain php code saved as .jpg), since the extension is always jpg.
From a detection perspective, it would be possible to look for file write events where the target path matches the OneNote directory mentioned above. A first approach would be to look only for specific file extensions as it could easily lead to a concerning amount of false positives.
One thing to note (no pun intended) is that the integer after the NT part of the path is an incremental value that changes depending on how many attachments the user clicks from the same OneNote file; therefore that value should be considered non-static for detection engineering purposes.
Another interesting edge-case is when the attackers spoof the extension of the file using the Right-to-Left Override (RTLO) technique ( -Defender-and-other-thoughts-on-Unicode-RTLO-attacks). In this case, despite the process-tree will remain the same, the file name found in the file-write event might not reflect the actual content of the dropped file.