Common Information
| Type | Value |
|---|---|
| Value |
Right-to-Left Override - T1036.002 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique) Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-11-03 | 3 | Detect Phishing Emails by Inspecting Email Headers, Attachments, and URLs | ||
| Details | Website | 2023-10-11 | 99 | Qakbot evolves to OneNote Malware Distribution | ||
| Details | Website | 2023-08-04 | 4 | Teach a Man to Phish and He’s Set for Life – Krebs on Security | ||
| Details | Website | 2023-06-05 | 102 | Vulnerability Summary for the Week of May 29, 2023 | CISA | ||
| Details | Website | 2023-05-30 | 3 | NVD - CVE-2023-33955 | ||
| Details | Website | 2023-03-09 | 2 | Hackers using OneNote instead of macros to deliver malware: Report | IT World Canada News | ||
| Details | Website | 2023-03-08 | 18 | A Noteworthy Threat: How Cybercriminals are Abusing OneNote – Part 1 | ||
| Details | Website | 2022-12-08 | 10 | Trojanized OneNote Document Leads to Formbook Malware | ||
| Details | Website | 2022-12-07 | 11 | Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE) - ASEC BLOG | ||
| Details | Website | 2022-11-30 | 11 | 위장 파일명으로 유포되는 악성코드(RIGHT-TO-LEFT OVERRIDE) - ASEC BLOG | ||
| Details | Website | 2022-11-21 | 10 | [ Malware Analysis #5] — Eternity Project — Eternity Worm | ||
| Details | Website | 2022-09-01 | 21 | RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github - ASEC BLOG | ||
| Details | Website | 2021-06-16 | 85 | Ferocious Kitten: 6 years of covert surveillance in Iran | ||
| Details | Website | 2020-02-10 | 47 | Suspected Sapphire Mushroom (APT-C-12) malicious LNK files | ||
| Details | Website | 2018-02-13 | 56 | Zero-day vulnerability in Telegram | ||
| Details | Website | 2017-12-08 | 2 | Interesting disguise employed by new Mac malware HiddenLotus | Malwarebytes Labs | ||
| Details | Website | 2016-01-24 | 196 | Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists | ||
| Details | Website | 2013-08-01 | 1 | Sophos Discovers ZeroAccess Using RLO | Malwarebytes Labs | ||
| Details | Website | 2013-07-22 | 14 | — |