publishing date icon
October 13, 2021
read time icon
5 min. read

Right to left override attacks are relics no more

Author image
Jon Gellin
Junior Threat Analyst
facebook iconLinkedin iconTwitter icon
Post hero image

Relic of the past no more: Right-to-left override attacks are back

Right-to-Left overrides are an age-old trick used by malicious actors. Those familiar with the attack might be wondering whether we’ve entered a time warp if we’re talking about right-to-left overrides, but let me assure you, they are once again relevant and still dangerous.

Right-to-Left overrides (RTLO) take advantage of a special Unicode character [U+202e], which flips characters. The legitimate use for this Unicode character is to support languages like Arabic and Hebrew, which are read from right to left instead of left to right.

As a simple demonstration, a file called “Invoictxt.exe,” with the special Unicode character added as “Invoic[U+202e]txt.exe,” will be displayed as “Invoicexe.txt” to the user. This hides the fact that the file in question is an executable file, increasing the chance that the user clicks on it. An executable file contains encoded instructions that make the computer do something.

What is a Right-to-Left Override attack?

Some malicious actors have picked up on the potential for mischief with this character, and use it to enhance their phishing campaigns. When we first saw this trick being used, we wrote it off as a one-off campaign done by some malicious actor who has been reading some very old forum posts. During the last few months however, we’ve seen more and more examples of this being used in the wild.

right to left override attack 0

In this example we see a common voice mail phish. It’s not much to brag about, but with the overwhelming volume of these being spammed out daily, there are always some who fall for it. Given the large volume, even small improvements in effectiveness correlate to a huge increase in successfully phished victims.

This type of phishing email usually includes a link to click on, or an HTML attachment to download. Behind the link or in the attachment, the recipient is welcomed by a credential harvesting form, disguised as an extra security step. In this case we are greeted by an attachment called “Open_New_Voicemail mth.wav”, or so it seems at least.

Right to Left override attack 1

When we download the attachment, be it from a browser-based email client or an application installed on your device, the file type shown is “.wav”, a filetype commonly used for uncompressed audio. Even when we inspect the file using our file explorer on the operating system of our choosing, we see an audio file. But when we click it, our operating system is not fooled by the character and opens the .htm file containing the credential harvester.

We are currently seeing this method being used mainly in voice mail themed phishing messages, with malicious attachments hidden as different types of audio or video files, like .mp3 or .mp4. However, with the increase in popularity, we’re likely to see this used in other phishing themes too.

Staying safe from this type of attack is not too tricky when keeping in mind some basic rules of internet safety.

  • Have you received messages from this service before, or one similar? Think whether your company actually uses the service in question. If the service is something you use, you should check the service directly to see if the notification is real rather than clicking the link or downloading an attachment. Using known service notifications is an efficient way for the attacker to lure you to a fake website pretending to be the real one to get you to enter your user credentials.
  • Be very cautious with HTML attachments! When you open a malicious HTML, the attacker might be able to access everything you do. For instance, read your keystrokes, meaning that you don't even have to submit the password for it to be readable for the attacker.
  • When opening an attachment make sure the file icon matches the file type in the attachment name. Our operating systems are not fooled by this trick and will display the correct icon. In this case a blank page which is commonly used at the .html filetype icon instead of a note often seen in audio file icons.

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails like these a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Subscribe to our newsletter