Monday, 4 August 2014

RTLO/RLO (right to left override) technique for file extension spoofing

RTLO/RLO (right to left override technique)

Salam everyone..!!
In this tutorial i will show you RTLO/RLO (right to left override) technique which is used for file extension spoofing.
This technique is used by many infamous malwares i.e GameOverZeus With this technique you can show your exe file as pdf, ppt, docx or whatever file extension you want to show to your victim.

Tools needed:

1- unicodeinput freeware utility
2- CFF explorer (to change icon of .NET exe file)

I am using winmd5 .NET file as a sample exe for demonstration purposes in this tutorial.

Brief intro: 

The RTLO/RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew. The problem is that this override character also can be used to make a malicious file look innocuous. An increasing number of email based attacks are taking advantage of the RTLO/RLO character to trick users who have been trained to be wary of clicking on random .exe files.
For example consider the following file name
“winmd5exe.pdf”
It is encoded with RTLO/RLO unicode character. It looks like a pdf document but in fact it is an exe file in which we have placed a unicode character in its name right after winmd5 i.e winmd5[RTLO character]fdp.exe . After that RTLO unicode character file name will be read like this exe.pdf (from right to left character by character upto dot(.) symbol, means fdp will be inverted to pdf).
I hope you got my point. Similarly, you can use the following RTLO file name to run a batch file as pdf.
"winmd5[RTLO]fdp.bat" 

NOTE: Real content type of the file can be viewed from file properties.

Watch Video Tutorial: