Malicious code such as fileless malware, ransomware and remote access agents try to evade detection by hiding among ordinary software code while running in memory - a step just made harder by cybersecurity firm Sophos.
Sophos found that malicious code behaves in a certain way after it is injected into the memory of a hacked computer, and because this behaviour is not normally seen in ordinary software code it is a good indicator that something suspicious might be going on that needs investigating.
According to Sophos, covert code is injected into what is called the dynamic ‘Heap' region of a computer's memory, which is an area of memory required for apps that need temporary in-memory workspace.
This initial code is often a loader or installer for a larger payload to follow. In order to make room for that payload, the initial code needs more memory space and allocates itself additional and executable Heap memory. This process is called ‘Heap-Heap' memory allocation.
“Code intended for malicious use evades detection by being heavily obfuscated and packed and loaded directly into memory,” explains Sophos director of engineering, Mark Loman. “Computer memory is not routinely scanned by security tools so that even when the code is de-obfuscated and unpacked in order to run, its presence is often not detected.
“‘Heap-Heap' memory allocation is typical across multi-stage remote access agents and other attack code being loaded into memory,” says Loman.
These findings have been crucial in enabling Sophos researchers to design a practical protection that blocks the allocation of execution permissions from one Heap memory to another. It is named Dynamic Shellcode Protection and it is designed to make it significantly more difficult for attackers to compromise memory to hide their activities.
Dynamic Shellcode Protection intercepts attacks involving fileless malware, ransomware and remote access agents while allowing genuine applications to run normally.
Loman explains, “When a process, regardless of whether it is malicious or benign, violates the Heap memory allocation barrier, the Dynamic Shellcode Protection will block it and notify defenders. Security professionals can then take a closer look at what is going on.
He adds that this protection is not intended to be a silver bullet against attacks, but it is one more obstacle that attackers have to face.
“We hope this will make attackers' jobs harder and more complicated. The Dynamic Shellcode Protection does not rely on the cloud or machine learning. As such it represents a paradigm shift in the ongoing battle against many obfuscated malware and memory-delivered post-exploitation agents, including Cobalt Strike Beacon.
It is also important that organisations use cybersecurity solutions that can protect, identify and neutralise any potentially suspicious activity, including Heap-Heap and other shellcode attacks. Sophos Intercept X includes Dynamic Shellcode Protection, while Sophos Managed Threat Response provides 24/7 human-led threat hunting, analysis and response expertise.