CobaltStrike, a well-known red-team framework used by pentesters and threat actors alike, is most notably identified by its use of shellcode injected into running processes. A researcher discovered a new variant of Cobalt Strike that uses a new method to evade detection. As noted by the researcher tccontre, CobaltStrike has begun using a particularly interesting technique of embedding shellcode inside of the MZ header, which is located at the start of the executable file. As the MZ takes up a set amount of space, embedding shellcode in the header allows actors to take advantage of unused sections of the header to save on space. Additionally, many anti-virus companies may miss the shellcode, as they don’t always parse the MZ header fully.
Analyst Notes
Tccontre wrote a great yara rule for detecting these shellcode payloads. With this, you can detect the beacon.dll used by Cobaltstrike to communicate back to the threat actor which can be found here:
https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html
, https://webserver2.tecgraf.puc-rio.br/~ismael/Cursos/YC++/apostilas/win32_xcoff_pe/tyne-example/Tiny%20PE.htm
