Trojan Source Filenames!!??

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

airchie

Member
Nov 9, 2020
14
13
Evening all,

I'm in the middle of working night-shift in the SOC of my employer.
Whilst analysing a phishing ticket, I came across something I'd never seen before.
There was a file attached to the phishing email that appeared to have a .paid filename extension.
It seemed curious that it was associated with Firefox since I'd never seen that type of file.

Turns out, it appears to be using bidi characters in the filename so the .htm filename extension appears as mth in the middle of the filename like shown below.
Where the space is there appears to be bidi characters reversing the direction of the next part.
Users.name5703 ‮‮‮diap.htm

Very sneaky, and I'm not sure how to see the bidi characters?

I'll attach the file (I stripped the contents so there's nothing but text inside now).
Previously it was a very convincing self-contained and heavily obfuscated phishing page emulating an SSO login prompt.
I've also renamed it to txt instead of htm to allow upload.

Has anyone else ever seen this?

<edit> I just had a play and managed to create a nice example of how this could be used to trick people who weren't paying attention.
Makes an exe file look like a text file.

Steve, if you want to bring this to the attention of SN listeners, I'd love a shout-out.
Craig Stewart from Scotland. ;)
 

Attachments

  • Users.name5703 ‮‮‮diap.txt
    25 bytes · Views: 176
  • HidingAnExeInPlainSight.png
    HidingAnExeInPlainSight.png
    3.1 KB · Views: 155
Last edited:
Steve covered it last November: https://www.grc.com/sn/sn-843-notes.pdf
Skip to the last section labeled “Trojan Source”
I'm aware of that, that's why I titled this thread with "Trojan Source" in the name.
However, Steve discussed the use of BiDi tags in terms of sourcecode and the ability to hide malicious code in plain sight by using them.
I don't think it was mentioned that it was possible to use these tags in filenames?

Perhaps he did, or maybe he's aware its possible, but I was very surprised when I saw it first hand!

@Steve , were you aware of this?
 
  • Like
Reactions: Barry Wallis
Maybe enter a bug in Bugzilla?
Hi, Scott.

This isn't a bug.
Much like the trojan source issue @Steve discussed in the podcast, this appears to be a feature that caters for right-to-left languages like Arabic and Hebrew.
Much like source code can use BiDi characters, filenames in Windows Explorer can too.

If you look at the example from my original post, I made an exe file look like a txt file (though windows still knows it's an application, users may be fooled).