According to our friends at Commtouch, malware using Right to Left Override (RLO) Unicode tricks have “resurfaced extensively in the past week”. Unicode character (U+202E) “reverses” text for languages that are traditionally read from right to left, and it’s a feature that can be used to obfuscate file names.
We examined a sample a few days ago.
Here’s the archive file viewed in Windows:
The Windows Compressed Folder view shows us that the extension is “.exe” and that the file type is an Application:
But once extracted, the file appears to have an extension of “.doc”.
Windows Explorer recognizes the file as an application, but the malware is using a Word icon as part of its social engineering trickery.
Being curious, we decided to test some third-party archive managers.
Here’s the malware as viewed in WinZip:
And here’s 7-Zip:
Surprisingly to us, 7-Zip doesn’t display the file type even though it sorts by type.
In any case, be aware of this RLO trick, and carefully examine any archived attachments before extracting and/or opening them.
Leave a reply