Using unicode to trick users to install malware


Our partner Openfind Information Technology, Inc., providing message communication, security and assurance solutions and based in Taiwan, have detected increased use of a new technique used to trick users into opening malware executables.  The files are distributed via email (compressed).  The emails includes standard “you have received an important document which is attached” text.

When the archive is opened, the filename appears to be of the promised .doc or .xls type.  However, the filename includes a unicode string that effectively hides the .exe or .scr file type.

These are examples of the types of filenames used:

  • Costing Cap[U+202E]slx.exe
  • Calenda[U+202E]cod.scr

Note the Unicode control characters in brackets: [U+202E]. This code has the function of a “Right to Left Override” (RLO).  Any text to the right of this code will be reversed.  Thus the final few letters of the examples above appear as:

  • exe.xls (appears to be an MS-Excel file)
  • rcs.doc (appears to be an MS-Word file)

Since the control code is not actually displayed when the filename is shown in the operating system, the filenames would appear to be:

  • Costing Capexe.xls
  • Calendarcs.doc (see example below)
Our Command AV lab confirms that the file shown above will actually open an embedded MS-Word document – but will also start the malware installation process in parallel.
For more information about Openfind visit:

Go back