The is a special invisible character (Unicode U+202E ) used in coding to reverse the order of the characters that follow it. Here is how the trick happened:
If you hover your mouse over a file in some email clients, it may reveal the true, non-reversed name. executare_silita_an‮fdp.exe
In reality, the file Elena saw was a lie. The true name of the file on the server was executare_silita_an[RTLO]fdp.exe . The is a special invisible character (Unicode U+202E
It began scanning her browser for saved passwords and banking cookies. The true name of the file on the
In some versions of this attack, the "Enforced Collection" becomes a reality as Ransomware begins locking her files, demanding a real payment to get them back. The Moral of the Story
The attacker named the file executare_silita_an followed by the RTLO character. They then typed fdp.exe .
When Elena double-clicked the file, her computer didn't open a PDF reader. Instead, it saw the .exe extension and ran the code.