Select Page

Cyren Security Blog

“exe” read backwards spells “malware”

RIGHT TO LEFT OVERRIDE (RLO) is a unicode control character (U+202E) that reverses the character reading order from the traditional left-to-right, to right-to-left. This is mainly used for right-to-left languages (such as Arabic or Hebrew). We reported this trick last year but it has resurfaced extensively in the past week to trick users into opening malware executables. Malware uses RLO to reverse the direction of text in a filename. This can make an “exe” file appear to be a harmless “doc” file.

These new variants of the Bredolab virus are distributed via emails that have a subject line similar to “inter-company invoice”. A sample:

The attached zip file contains an executable which has a filename that appears to be:

“CORP_INVOICE_08.14.2011_Pr.phylexe.doc”

Seems harmless enough right? You can see how the filename is displayed in Winzip and in Windows Explorer below.

The RLO control character is not displayed. It is placed just before the part of the filename “exe.doc”. Therefore the actual filename is:

“CORP_INVOICE_08.14.2011_Pr.phylcod.exe”

This will definitely mislead recipients who will then execute the malicious file.

Command antivirus detects this malware as W32/Bredolab.IF. Keeping your antivirus definitions up to date and avoiding suspicious attachments, even if they are from someone you trust, will protect you from malware such as this.

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...