1 min read

Sophos has uncovered how attack code behaves while hiding in memory and built protection against it

The discovery will make it significantly harder for adversaries to use memory as a defense evasion technique

The memory region of a hacked computer is a popular hiding place for malware because security scans don’t tend to cover memory. As a result, the malware is less likely to be detected and blocked.  The types of malware attackers try to install in memory include ransomware and remote access agents. Remote access agents are the enablers for the rest of an attack so the earlier they are spotted and blocked the better.

Sophos researchers have worked out a way to defend against such malware in memory based on how it behaves. They found that attack code shares a common behaviour in memory regardless of the type of code or its purpose.

  • Unlike normal software applications that are installed in the main memory region, attack code is injected into a part of the memory known as the “Heap.” (The Heap provides temporary additional memory space for applications that need some extra room, for instance to store or unpack code.)

  • Adversaries add their attack code in stages. To begin with, a small file known as a “loader” is injected into the Heap memory. The loader then needs extra Heap memory space to accommodate the needs of main payload, which could be a remote access agent like Cobalt Strike. It needs the extra memory to be allocate “execution” rights so the malware can run.

Sophos researchers have designed a practical protection that blocks the allocation of execution permissions from one Heap memory to another. The protection is named Dynamic Shellcode Protection.

“Preventing attackers from taking hold in a compromised network is the goal of defenders everywhere,” said Mark Loman, director of engineering, Sophos. “This goal is critical because once a remote access agent has been installed, it can facilitate most of the active adversary tactics that will take place during the attack. These include execution, credential access, privilege escalation, discovery, lateral movement, collection, exfiltration, and the release of the ransomware.

“Code intended for malicious use evades detection by being heavily obfuscated and packed and loaded directly into memory. Computer memory is not routinely scanned by security tools so that even when the code is de-obfuscated and unpacked in order to run, its presence is often not detected. Sophos has identified a characteristic – ‘Heap-Heap’ memory allocation – that is typical across multi-stage remote access agents and other attack code being loaded into memory and has built protection against it.”