*Callback Shellcode Injection: Undetected by Microsoft for Endpoint * Our intelligence engine has seen recent human momentum behind an older technique that seems to be picking up steam again – callback shellcode injection. The technique uses a native Windows function (in this case EnumSystemGeoID) which is handed a memory address containing shellcode and then executed. The curious thing was that the MSE timeline registered our execution as a “CreateRemoteThread” API call which wasn’t used. I’m still wrapping my head around the technical details so this may be due to my own misunderstanding of how “EnumSystemGeoID” works. Regardless, quite effective! Similar Lazarus tactics were recently analyzed by nccgroup and the analysis can be found below.
Docs Callbacks: /var/log/notes (ropgadget.com)
Lazarus Analysis: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam