T1036.002 Right-to-Left Override Mappings

Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.

A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1036.002 Masquerading: Right-to-Left Override
action.social.variety.Forgery Forgery or counterfeiting (fake hardware, software, documents, etc) related-to T1036.002 Masquerading: Right-to-Left Override
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1036.002 Masquerading: Right-to-Left Override