Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)
Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1036.002 | Right-to-Left Override |
Comments
Intel Threat Detection Technology (TDT) and CrowdStrike Falcon Accelerated Memory Scanning (CAMS): Defending Against Right-to-Left Override Attacks
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Advanced Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Right-to-Left Override (RTLO) attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Right-to-Left Override (RTLO) attacks exploit character encoding to manipulate the way text is displayed, often used to trick users into executing malicious files or to bypass security filters. In these attacks, attackers use the RTLO control character to reverse the visual display of text, such as making a file appear harmless by misleading the user about its true extension. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors, such as attempts to manipulate file names or execute commands through deceptive displays.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as the use of RTLO to obfuscate filenames or payloads that would otherwise be flagged by security systems, providing proactive defense against this evasive technique. This solution ensures that organizations can detect and prevent RTLO attacks before they successfully deceive users or bypass security measures.
References
|