How a Fake Text File Can Load Malware on Your System

Posted by Trevagh Stankard on Tue, Jun 22nd, 2021

File attachments in email pose a large threat against computer systems, and attackers continually find new ways to trick even the most alert users into running malicious attachments. Antivirus software can detect some malicious executables, but not all. In the latest email threats, attackers have turned to using Notepad icons with right-to-left-override (RTLO) technology to trick users into opening malicious attachments.

What is Right-to-Left Override (RTLO)?

Not every language is read from left to right. In Arabic and Hebrew, words and characters are read from right to left. The Unicode character [U+202E] tells the Windows operating system to switch letters after the Unicode instructions to flip from left to right.

Take, for example, the following:

U+202Edocx.txt

Windows will flip these characters to:

txt.docx

The instructions are useful for content where English users must view files in Arabic or Hebrew and characters must flip to right to left. While this Unicode command has a useful purpose, it can also be used to trick email clients, Windows, and users into opening malicious files.

Phishing and RTLO Executable Malware

Most users know that text files with .txt extension are harmless. When email clients and Windows load a file with the .txt extension, they display the popular Notepad icon, which indicates that the file should be harmless text.

One of the latest threats uses RTLO and the Unicode character U+202E to make a seemingly harmless text file into a sophisticated attack. Since most email clients will show the Notepad icon as the thumbnail, users think nothing of the file attachment even if they are aware of the dangers of opening executables.

In this attack, the Unicode file name could look like the following:

Innocent_fileU+202exe.txt

Notice that the file extension is .txt, but the Unicode character [U+202] is located right before the characters exe. When the user clicks this file to open it, Windows will read the file as:

innocent_filetxt.exe

In this example, the executable file will now run on the user’s computer without their knowledge. In many current RTLO attacks, the malicious file is a PowerShell script. PowerShell will allow attackers to download external files, compile custom code, or change settings on the computer. Running these files from a threat actor could be worse than executing macros in a Microsoft Office document.

Protecting Email Recipients from RTLO Attacks

Even cybersecurity experts could be tricked into falling for this attack unless they first examine the attachment file’s name. Most users do not examine a file name and rely on the icon shown in the email client. They also look at the file extension and aren’t aware of RTLO attacks and Unicode characters, so attackers have a better chance of tricking recipients than with standard Office files.

In basic phishing campaigns, the email attachment file is typically an executable or Microsoft Office document. In this attack, the perceivable file extension is a harmless txt but it’s really a malicious exe. As soon as the user opens the file, the executable does its damage. It could be anything from running ransomware on the system to installing a keylogger so that your site credentials can be sent to the threat actor.

Because this attack is such a threat to user data privacy and business continuity, email filters should be used to block these messages from reaching the recipient’s inbox. These attacks are sophisticated, and most users are unaware of RTLO, so protecting users instead of relying on them to notice malicious attachments is a preferred defense.

A good email security solution will use artificial intelligence to detect malicious files and quarantine them from ever reaching the intended recipient’s inbox. Working with this type of  email security solution, you no longer rely on users detecting malicious attachments and move the message to a quarantine until an administrator can review it. The administrator can then forward the message to the intended recipient if it’s a false positive or review it further if the administrator determines that it’s a malicious attack.

Guide: 2021 Email Security Solution Pricing Guide

Users should still be taught to detect malicious messages and know the consequences of running a malicious attachment. Knowing the red flags of a phishing attack and malicious attachments helps reduce the chance of becoming a victim, but businesses should still add a cybersecurity layer of protection between the attacker and the email recipient. Email filters will block these malicious messages from ever reaching the intended person, which will eliminate human error and protect the business from becoming the next victim of a data breach.