Bidirectional Characters

ID

bidirectional_chars

Severity

low

Resource

System

Tags

backdoor, trojan

Description

This detector looks for bidirectional characters in source code that could indicate source obfuscation or a supply chain attack.

Rationale

Using Unicode bidirectional chars has been probed to be potentially dangerous, in many ways.

When they are consciously used in source code, they increase code complexity since they may be hidden in the IDE under certain configurations.

However, the real problem comes when their usage is introduced to create a potential backdoor that under certain circumstances could be used to achieve arbitrary code execution.

In source code, bidirectional Unicode characters can be used to swap segments of text in a file. This can cause code to appear one way and be interpreted or compiled another way. See this Common Vulnerabilities and Exposures (CVE) publication: CVE-2021-42574.

Unicode is aware of this problematic and is forming a task force to investigate issues with source code spoofing.

Also, adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. For example, a JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.

Related Malware campaigns

These are some popular campaigns using this technique:

  • Telegram: Back to 2018, Russian cybercriminals exploited RTLO gaps in the wild on Telegram Windows Clients.

  • Scarlet Mimic: One of the groups common tactics included using RTLO characters to mask the actual file extensions of self-extracting archives (SFX/SEA)🎭.

  • Famous Messaging apps: In 2022, vulnerabilities were identified in messaging platforms like iMessage, WhatsApp, Signal, and Facebook Messenger, linked to a specific technique. This method enabled attackers to insert an RTLO character between two links. The legitimate domain (e.g., google.com) was placed on the left, while a malicious one was on the right. This manipulation created the illusion of a single link, leading users to safety if they clicked on the left side, but posing a threat if they clicked on the right side.

  • PLEAD was reported in 2017, and it was focused on information theft and was targeted at the Taiwanese government and organisations. The notable part of this attack was that the installers where disguised as documents using RTLO characters and decoy documents were also added to trick users.

References