Right-To-Left-Override is a way to trick Windows users into thinking that the file they are looking at has another extension.
Many extensions are more dangerous than other. To name a few ones like :
- .exe
- .bat
- .cmd
- .com
- .lnk
- .pif
- .scr
- .vb
- .vbe
- .vbs
- .wsh
The trick is to use a special character called the Right-To-Left Override ( U+202E ).
It will basically start writing back to front order of letters.
Example we can transform normal_.exe into normal_exe.pdf
- Open up the windows character Map (charmap.exe) and look for character U+202E. Copy it to clipboard.
- Select a file
- Right click Rename
- Place the cursor like on picture below just before the dot
- Paste the special character
- type in the three letters f d p
- et voilà
The OS still know it’s an application (you can see on the right) but it looks like a pdf extension to me.
Change the icon of the file, et voilà :
Now if the user clicks on the file, as it is an exe file, it will be executed.
LASTEST NEWS !
If Windows Defender sees this character in the filename of an application or some other specific types, it will flag it as Trojan:Win32/Artoelo.B !!!
Today the cat has won 😉 but other AV’s are not flagging this up still
19
Recent Comments