Tuesday, 11 August 2015

Espionage Group Uses Rtlo-Trick In Windows

A group of cyber spies who in the last year, news came as the guests through the WiFi network of their hotel with malware infected, now uses other methods to attack targets, including the rtlo-trick in Windows and a vulnerability that by Italian Hacking Team was discovered.

The group, according to the Russian anti-virus firm Kaspersky Lab since 2007 active and has conducted several attacks this year. The attacks took place among others in Germany, Mozambique, Bangladesh, Thailand, Russia and North Korea. To attack the targets the group makes use of physical access as well as a flaw in Adobe Flash Player that was familiar to Hacking Team. Kaspersky discovered that there are several e-mails were sent with links, pointing to a page on which the Flash Player leak was attacked.


The group also sent emails with RAR attachments that recipients via the rtlo-trick in Windows attempted to mislead. This RAR attachments contain an executable .scr file. By using rtlo seems like a jpg image. Rtlo stands for Right-to-Left Override and ensures that the sequence of characters of a file name can be reversed through a special unicode character. This will SexyPictureGirlAl [rtlo] gpj.exe appear in Windows as SexyPictureGirlAlexe.jpg.

In this case, the .scr file resembled a jpg image. As soon as the recipient opened the file is a real image was shown, while a backdoor was installed in the background. The used backdoors are signed with a valid, stolen certificates, which might help to bypass certain security mechanisms of the operating system and anti-virus software. Windows users who want to protect themselves against rtlo to the detail switch. In this case, Windows will display the jpg image is actually an application.

No comments:

Post a Comment