Possible Instant Messaging Malware Attack Using Right-to-Left Unicode Overriding Characters

Publication Type:

Conference Paper


DIGILIENCE 2019, Sofia, Bulgaria (2019)


file name obfuscation, Instant messaging malware attack, Microsoft Skype for Linux, right-to-left Unicode override, Wine


The right-to-left special Unicode character has a legitimate use for languages that are transcribed in a right-to-left direction or in an environment that combines both right-to-left and left-to-right languages, like web pages, emails, desktop documents and text messages. These writing systems include right-to-left languages such as Persian, Arabic and Hebrew. The “right-to-left” attacks have been used for many years for malicious purposes, mostly in email communications. Early in 2018, Kaspersky Lab published an article described a vulnerability in the Windows client of the popular instant messenger Telegram. This vulnerability uses the Unicode “right-to-left” character to obfuscate the name of the malware file. This paper describes a possible attack that we discovered. It uses a combination of the “right-to-left” override attack and instant messaging malware attack and presents a realistic threat for another widely used messenger - Microsoft’s Skype for Linux. The purpose for conducting this research was to describe an exploit that we discovered and to warn the people who use this communication application about it, as well as to appeal to the producer for fixing it. Additionally, it is important to emphasize that the attack scenario developed by us also impacts other applications that allow file transfer (e.g., e-mail clients) and run on Linux systems with Wine installed.

This paper is included in the program of DIGILIENCE 2019 and will be published in the post-conference volume.