Skip to main content

Cyber Threat Actors Leveraging Right-to-Left Override (RTLO) in Recent Attacks

TLP WHITE:

Threat Bulletins Aug 09, 2021, 12:57 PM TTPs: Cyber security researchers are aware of malicious actors leveraging masquerade and obfuscation techniques to deliver harmful files via email to healthcare organizations. The threat actors are using a legitimate feature of Right-to-Left Override (RTLO) Unicode to email malicious files to potential victims and have them appear benign in an attempt to deliver attacks that leverage the Cobalt Strike toolkit.

Health-ISAC has collected Indicators of Compromise (IOCs), which are included in this bulletin for the purposes of additional review, research and network defense purposes.

Pdf version:

Download

 

Text version:

Threat Bulletins Aug 09, 2021, 12:57 PM TTPs: Cyber security researchers are aware of malicious actors leveraging masquerade and obfuscation techniques to deliver harmful files via email to healthcare organizations. The threat actors are using a legitimate feature of Right-to-Left Override (RTLO) Unicode to email malicious files to potential victims and have them appear benign in an attempt to deliver attacks that leverage the Cobalt Strike toolkit.

Health-ISAC has collected Indicators of Compromise (IOCs), which are included in this bulletin for the purposes of additional review, research and network defense purposes.

Cyber security researchers report that threat actors attempt to deliver malicious files to potential victims using, either independently or in tandem, masquerade and obfuscation techniques to make htm and htm/eml files appear as a mp3, wav, or pdf attachments. Threat actors also attempt to deliver malicious htm files masqueraded as a pdf file. The htm file contains obfuscated JavaScript, which includes a base64 encoded string to a URL that may NOT be blocked by commercial email filter and security products.

At this time we are not aware of any successful compromises. The right to left override (RTLO) character is a special character within unicode, an encoding system that allows computers to exchange information regardless of the language used. Unicode covers all the characters for all writing systems of the world, modern and ancient. It also includes technical symbols, punctuations, and many other characters used in writing text. For example, a blank space between two letters, numbers or symbols is expressed in unicode as “U+0020”.

The RTLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew. The problem is that this override character also can be used to make a malicious file look innocuous.

 
Mitigation:
  • – This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
 
Detection
  • – Detection methods should include looking for common formats of RTLO characters within filenames such as u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.

See full bulletin information in the pdf above.

This site is registered on Toolset.com as a development site.