Potential File Extension Spoofing Using Right-to-Left Override

    Date: 11/19/2024

    Severity: Medium

    Summary

    "Potential File Extension Spoofing Using Right-to-Left Override" refers to a security technique where attackers exploit the Right-to-Left Override (RTLO) character in file names to manipulate how file extensions are displayed. The RTLO character causes text to be rendered in reverse order, allowing attackers to make a malicious file appear as a harmless one. For example, they could make a file with a ".exe" extension appear as a ".jpg" image file by placing the RTLO character before the extension, tricking users into opening a potentially dangerous file. This method can be used to bypass security checks and deceive users into executing malicious software.

    Indicators of Compromise (IOC) List 

    Filename

    '\u202e'

    'fpd..'

    'nls..'

    'vsc..'

    'xcod.'

    'xslx.'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection:

    Detection Query 1

    resourcename in ("Windows Security") AND eventtype = "4663" AND objectname like "\u202e" AND (objectname like "fpd.." OR objectname like "nls.." OR objectname like "vsc.." OR objectname like "xcod." OR objectname like "xslx.")

    Detection Query 2

    technologygroup = "EDR" AND objectname like "\u202e" AND (objectname like "fpd.." OR objectname like "nls.." OR objectname like "vsc.." OR objectname like "xcod." OR objectname like "xslx.")

    Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml


    Tags

    MalwareFile spoofing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags