CobaltStrike, a well-known red-team framework used by pentesters and threat actors alike, is most notably identified by its use of shellcode injected into running processes. A researcher discovered a new variant of Cobalt Strike that uses a new method to evade detection. As noted by the researcher tccontre, CobaltStrike has begun using a particularly interesting technique of embedding shellcode inside of the MZ header, which is located at the start of the executable file. As the MZ takes up a set amount of space, embedding shellcode in the header allows actors to take advantage of unused sections of the header to save on space. Additionally, many anti-virus companies may miss the shellcode, as they don’t always parse the MZ header fully.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.