Global cybersecurity firm Sophos has revealed a new defence against adversaries trying to evade detection by loading fileless malware, ransomware and remote access agents into the temporary memory of compromised computers.
In a new blog post titled, ‘Covert Code Faces a Heap of Trouble in Memory,’ Sophos researchers detailed how they discovered that covert attack code is injected directly into the dynamic ‘Heap’ region of computer memory.
According to Sophos, this covert code then tries to obtain additional ‘Heap’ memory with code execution rights, a behaviour not seen in ordinary software.
SEE ALSO: Sophos details evolution of Gootkit’s malware delivery methods
The researchers developed a new protection that is triggered whenever such ‘Heap-Heap’ memory allocation behaviour is detected.
The new defense, called Dynamic Shellcode Protection, will make it significantly harder for adversaries to use memory as part of their arsenal of defense evasion techniques.
“Preventing attackers from taking hold in a compromised network is the goal of defenders everywhere,” said Mark Loman, director of engineering, Sophos.
“This goal is critical because once a remote access agent has been installed, it can facilitate most of the active adversary tactics that take place during the attack. These include execution, credential access, privilege escalation, discovery, lateral movement, collection, exfiltration, and the release of the ransomware.
“Code intended for malicious use evades detection by being heavily obfuscated and packed and loaded directly into memory. Computer memory is not routinely scanned by security tools so that even when the code is de-obfuscated and unpacked in order to run, its presence is often not detected. Sophos has identified a characteristic – ‘Heap-Heap’ memory allocation – that is typical across multi-stage remote access agents and other attack code being loaded into memory and has built protection against it.”
Dynamic Shellcode Protection is based on the fact that code such as applications are stored in memory regions that have ‘execution’ rights. This enables the apps to run. However, the apps generally need some additional, temporary, in-memory workspace.
ALSO READ: ‘Agent Tesla’ Trojan can now bypass endpoint security tools, warns Sophos
“Dynamic Shellcode Protection is not meant as a silver bullet for all attacks, but it does mean that adversaries face a new obstacle that blocks a fundamental behaviour of their stealthy code. We hope this will make attackers’ jobs harder and more complicated,” said Loman.
“The solution does not rely on the cloud or machine learning. As such it represents a paradigm shift in the ongoing battle against many obfuscated malware and memory-delivered post-exploitation agents, including Cobalt Strike Beacon.”
Dynamic Shellcode Protection is integrated into Sophos Intercept X.
