Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

“exe” read backwards spells “malware”

RIGHT TO LEFT OVERRIDE (RLO) is a unicode control character (U+202E) that reverses the character reading order from the traditional left-to-right, to right-to-left. This is mainly used for right-to-left languages (such as Arabic or Hebrew). We reported this trick last year but it has resurfaced extensively in the past week to trick users into opening malware executables. Malware uses RLO to reverse the direction of text in a filename. This can make an “exe” file appear to be a harmless “doc” file.

These new variants of the Bredolab virus are distributed via emails that have a subject line similar to “inter-company invoice”. A sample:

The attached zip file contains an executable which has a filename that appears to be:

“CORP_INVOICE_08.14.2011_Pr.phylexe.doc”

Seems harmless enough right? You can see how the filename is displayed in Winzip and in Windows Explorer below.

The RLO control character is not displayed. It is placed just before the part of the filename “exe.doc”. Therefore the actual filename is:

“CORP_INVOICE_08.14.2011_Pr.phylcod.exe”

This will definitely mislead recipients who will then execute the malicious file.

Command antivirus detects this malware as W32/Bredolab.IF. Keeping your antivirus definitions up to date and avoiding suspicious attachments, even if they are from someone you trust, will protect you from malware such as this.

You might also like

Protect Office 365 Email from Ransomware

Ransomware is continually evolving. It has become the “most prominent malware threat”, with experts estimating that ransomware attacks in 2021 resulted in total damage costs of $20 billion. While there is no ransomware that specifically targets Office 365 data, it can...