Decoding RTLO in Hacking: How to Detect and Defend Against Right-to-Left Override

Chenny Ren
3 min readOct 26, 2023

--

Introduction

In the world of cybersecurity, understanding and staying ahead of potential threats is paramount. One lesser-known technique used by hackers is the Right-to-Left Override (RTLO). RTLO is a character encoding trick that can be employed to disguise malicious code or trick users into clicking on harmful links. In this article, we’ll explore what RTLO is, how it can be used for both malicious and legitimate purposes, and how to defend against it.

What is RTLO?

RTLO stands for Right-to-Left Override. It is a Unicode character that can be used to change the text direction in a document or string from left-to-right (LTR) to right-to-left (RTL). This is a common feature in languages like Arabic, Hebrew, and Persian, where the script is written from right to left. RTLO is often used for legitimate purposes, such as ensuring proper text rendering in bi-directional languages.

However, hackers have found a way to abuse this feature for malicious intent. They can use the RTLO character to manipulate the order of characters within a string, making it appear differently to the user. This manipulation can be used to obfuscate malicious code, hide malicious links, or create convincing phishing attacks.

How Hackers Use RTLO

Hackers can use RTLO in various ways to deceive users and evade security measures. Here are some common tactics:

  1. Obfuscating Malicious URLs: By inserting RTLO characters within a URL, hackers can make a malicious link appear as a harmless one. For example, “example.com” could be transformed into “moc.elpmaxe”.
  2. Hiding Malicious Code: RTLO can be used to hide malicious JavaScript or other code within seemingly harmless text. This can make it difficult for security scanners to detect the threat.
  3. Phishing Attacks: Phishing emails often contain RTLO characters to deceive recipients. The sender’s email address can be manipulated to appear as a legitimate source.

A Hands-On Tutorial

Now, let’s look at how RTLO can be used and how you can defend against it.

1. Using RTLO:

For educational purposes, we’ll provide an example of how to use RTLO to transform text. In Python, you can use the following code:

text = "example.com"
rtlo = "\u202e"
malicious_text = rtlo + text
print(malicious_text)

The “\u202e” character is the RTLO character. This code will make “example.com” appear as “moc.elpmaxe”.

PLEAD’s installers are disguised as documents using the Right-to-Left Override (RTLO) technique to obfuscate the malware’s filename. They are mostly accompanied by decoy documents to further trick users. We’ve also seen PLEAD use exploits for these

2. Defending Against RTLO:

To defend against RTLO attacks, here are some essential steps:

  • Implement URL Filtering: Regularly update your firewall or web filtering software to detect and block malicious URLs, even when they use RTLO tricks.
  • Educate Users: Train your users to recognize suspicious characters and URLs. Encourage them to be cautious and verify the legitimacy of links and emails.
  • Use Unicode Detection Tools: Employ tools and scripts that can detect RTLO characters in text strings. There are various open-source and commercial solutions available.
  • Monitor Incoming Emails: Utilize email filtering systems to detect and flag emails that use RTLO for phishing attacks.
  • Regularly Update Software: Keep all your software, including your operating system, web browser, and email client, up to date. Developers often patch vulnerabilities that hackers may use.
  • Penetration Testing: Conduct penetration tests on your systems to identify and mitigate potential security risks, including RTLO attacks.

Conclusion

Understanding Right-to-Left Override (RTLO) is crucial for both cybersecurity professionals and the general public. It is a tool that, while often used for legitimate purposes, can be manipulated for malicious intent. By learning how hackers use RTLO and implementing defensive measures, we can work to protect ourselves and our organizations from these deceptive tactics. Stay vigilant, stay informed, and stay safe in the digital world.

--

--

Chenny Ren

OSCP | OSWP | OSEP | CRTP |CRTE | CRTO | Red Team Professional | SOC engineer