Skip to content

T1036.002 Right-to-Left Override

Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.1

Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.23 RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.

Item Value
ID T1036.002
Sub-techniques T1036.001, T1036.002, T1036.003, T1036.004, T1036.005, T1036.006, T1036.007, T1036.008
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.1
Created 10 February 2020
Last Modified 14 October 2021

Procedure Examples

ID Name Description
G0098 BlackTech BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.8
G0060 BRONZE BUTLER BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.4
G0137 Ferocious Kitten Ferocious Kitten has used right-to-left override to reverse executables’ names to make them appear to have different file extensions, rather than their real ones.6
G0004 Ke3chang Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.5
G0029 Scarlet Mimic Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.7

Detection

ID Data Source Data Component
DS0022 File File Metadata

References