During an initial call, the fake company asks you to complete a software development exercise by downloading a project from GitHub. The project, which contains a ZIP file, has a seemingly benign non-executable file named something like “readme․pdf” except that the dot, in the filename, isn’t a simple dot/period but rather a symbol that looks like a period such as U+2024. In other words, the OS doesn’t see a file extension (PDF in this example).
When the developer double clicks on the file, it executes. Typically, on Linux, a user must manually chmod a downloaded file to set the executable flag (i.e. chmod +x readme․pdf). However, since this filed was embedded in a ZIP file, the executable meta data can be preserved. Also, a password is sometimes added to the ZIP file so even smart virus protection software can’t scan the ZIP file.
This is a Homograph Attack using Unicode Deception. Two things to be suspicious of this attack is the zipping of small-sized files and the password on a ZIP.
No comments:
Post a Comment