Full Report
Attackers are abusing bidirectional text to make fake URLs look real, reviving a decade-old browser flaw now fueling new phishing tricks. Varonis reveals how the "BiDi Swap" technique works and what organizations need to watch out for. [...]
Analysis Summary
# Tool/Technique: BiDi Swap (Bidirectional Text Spoofing)
## Overview
BiDi Swap is a technique that exploits how web browsers interpret and render text direction for URLs containing a mix of Left-to-Right (LTR) and Right-to-Left (RTL) scripts (such as Arabic or Hebrew). By strategically inserting RTL characters (like the Unicode Right-to-Left character), attackers can manipulate the visual display of a URL, making a deceptive or malicious domain appear legitimate to the user, often in phishing contexts. This revives a known browser flaw related to the Unicode Bidirectional (Bidi) Algorithm implementation when handling complex mixed-script URLs, particularly concerning subdomains and URL parameters.
## Technical Details
- Type: Technique
- Platform: Web Browsers (Desktop/Mobile) that process URLs containing mixed LTR and RTL Unicode scripts.
- Capabilities: URL/Link Spoofing, Phishing Lure Creation.
- First Seen: Revived technique, based on decade-old flaws related to Bidi Algorithm handling in browsers.
## MITRE ATT&CK Mapping
The core technique revolves around deception to gain initial access or trust.
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- **T1566.001 - Spearphishing Attachment** (While primarily a URL trick, successful delivery often utilizes phishing communications.)
- **T1566.002 - Spearphishing Link** (The most relevant mapping, as the technique creates convincing malicious links.)
*Note: Since this is a URL rendering/deception technique and not a distinct piece of malware or tool, its primary mapping is under Phishing Techniques.*
## Functionality
### Core Capabilities
- **URL Manipulation:** Exploits the Unicode Bidi Algorithm's potential inconsistencies when rendering mixed LTR and RTL text within URL components (hostnames, TLDs, paths, and parameters).
- **Visual Deception:** Crafts URLs where crucial parts (like the domain or TLD) appear legitimate (e.g., displaying English characters) while the underlying link points to a malicious destination.
### Advanced Features
- **Mixing with URL Structure:** The technique is effective when RTL characters are placed strategically within the host (domain + TLD) or mixed with LTR parameters, confusing the browser's rendering engine about the true order of characters.
- **Comparison to Predecessors:** It builds upon older Unicode tricks like Punycode Homograph attacks (using visually similar foreign characters) and RTL Override exploits (U+202E character) by specifically leveraging the Bidi rules for mixed-script display in URLs.
## Indicators of Compromise
As BiDi Swap is a technique, IoCs are primarily conceptual representations of the malicious URL structure.
- File Hashes: N/A (Technique only)
- File Names: N/A (Technique only)
- Registry Keys: N/A (Technique only)
- Network Indicators: URLs containing specific sequences of Unicode LTR and RTL characters designed to render deceptively. Example pattern: Mixing non-Latin RTL characters with LTR components to mask the true domain, e.g., URLs utilizing `[RTL script characters]host.tld[LTR characters]` or vice versa. (No fixed indicators are generated without an active payload.)
- Behavioral Indicators: Users interacting with links that use unusual or unexpected combinations of character sets in the domain portion of the URL, particularly those utilizing Arabic or Hebrew scripts alongside Latin text in a domain name context.
## Associated Threat Actors
The article indicates this is a revival of an old flaw, suggesting that any actor engaged in advanced phishing or browser exploitation campaigns could potentially use it. No specific threat actor group is named as the originator of the *revived* use case in the provided context.
## Detection Methods
Detection focuses on analyzing the raw, unrendered URL string for suspicious Unicode character usage, rather than the rendered display.
- Signature-based detection: Analyzing URLs for the presence of specific Unicode Bidirectional control characters (e.g., U+202E for explicit override, or specific RTL formatting characters) inserted contextually within the domain or TLD structure.
- Behavioral detection: Monitoring user behavior following navigation via links that utilize mixed LTR/RTL components in the URI structure.
- YARA rules: Rules could be developed targeting the raw URI string to check for unusual concentrations or sequences of Unicode directional characters adjacent to standard domain components.
## Mitigation Strategies
Mitigation requires browser updates and user education regarding URL rendering anomalies.
- Prevention measures: Browsers must properly implement the Unicode Bidi algorithm, ensuring transparent and robust display of mixed-script URLs, often by forcing an idempotent visual representation (like immediately converting the entire host to Punycode or enforcing strict LTR display for the host part).
- Hardening recommendations: Organizations should ensure endpoint protection and email gateways inspect URI strings based on the raw encoding, looking for malicious or confusing Unicode characters, rather than relying solely on visual inspection of the browser bar. Training users to hover over links and inspect the resulting status bar display is crucial.
## Related Tools/Techniques
- Punycode Homograph Attacks (T1588.001 - utilizing visually similar characters across character sets).
- RTL Override Exploits (T1036.002 - using control characters to flip text direction).
- General URL Spoofing Techniques.