Sophos today revealed a new defence against adversaries trying to evade detection by loading fileless malware, ransomware and remote access agents into the temporary memory of compromised computers. In a new blog post, “Covert Code Faces a Heap of Trouble in Memory,” Sophos researchers detail how they discovered that covert attack code is injected directly into the dynamic “Heap” region of computer memory and then tries to obtain additional “Heap” memory with code execution rights, a behaviour not seen in ordinary software. The researchers developed a new protection that is triggered whenever such “Heap-Heap” memory allocation behaviour is detected.
The defence, called Dynamic Shellcode Protection, will make it significantly harder for adversaries to use memory as part of their arsenal of defence evasion techniques.
Dynamic Shellcode Protection is based on the fact that code such as applications are stored in memory regions that have “execution” rights. This enables the apps to run. However, the apps generally need some additional, temporary, in-memory workspace, for example to unpack or store data. This variable workspace is commonly called “Heap” memory. Apps can request their Heap memory allocation to come with execution rights.
In most cyberattacks, however, the loader for a remote access agent is injected directly into Heap memory. It then needs to obtain further executable memory from the Heap in order to accommodate the needs of the inbound remote access agent. This is referred to as “Heap-Heap” memory allocation behaviour.
Sophos researchers realized that such behaviour was a clear indicator of potentially suspicious activity and designed a practical protection that blocks the allocation of execution permissions from one Heap memory to another. In doing so, the protection can intercept many cyberattacks involving remote access agents, fileless malware and ransomware, while being compatible with normal applications.
“When a process, regardless of whether it is malicious or benign, violates the Heap memory allocation barrier, the Dynamic Shellcode Protection will block it and notify defenders. Security professionals can then take a closer look at what is going on,” said Mark Loman, director of engineering, Sophos. “The new protection is not meant as a silver bullet for all attacks, but it does mean that adversaries face a new obstacle that blocks a fundamental behaviour of their stealthy code. We hope this will make attackers’ jobs harder and more complicated. The Dynamic Shellcode Protection does not rely on the cloud or machine learning. As such it represents a paradigm shift in the ongoing battle against many obfuscated malware and memory-delivered post-exploitation agents, including Cobalt Strike Beacon.”
Dynamic Shellcode Protection is integrated into Sophos Intercept X.