CobaltStrike, a well-known red-team framework used by pentesters and threat actors alike, is most notably identified by its use of shellcode injected into running processes. A researcher discovered a new variant of Cobalt Strike that uses a new method to evade detection. As noted by the researcher tccontre, CobaltStrike has begun using a particularly interesting technique of embedding shellcode inside of the MZ header, which is located at the start of the executable file. As the MZ takes up a set amount of space, embedding shellcode in the header allows actors to take advantage of unused sections of the header to save on space. Additionally, many anti-virus companies may miss the shellcode, as they don’t always parse the MZ header fully.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is