The discovery will make it significantly harder for adversaries to use memory as a defense evasion technique.
The memory region of a hacked computer is a popular hiding place for malware because security scans don’t tend to cover memory. As a result, the malware is less likely to be detected and blocked. The types of malware attackers try to install in memory include ransomware and remote access agents. Remote access agents are the enablers for the rest of an attack so the earlier they are spotted and blocked the better.
Sophos researchers have worked out a way to defend against such malware in memory based on how it behaves. They found that attack code shares a common behaviour in memory regardless of the type of code or its purpose.
- Unlike normal software applications that are installed in the main memory region, attack code is injected into a part of the memory known as the “Heap.” (The Heap provides temporary additional memory space for applications that need some extra room, for instance to store or unpack code.)
- Adversaries add their attack code in stages. To begin with, a small file known as a “loader” is injected into the Heap memory. The loader then needs extra Heap memory space to accommodate the needs of main payload, which could be a remote access agent like Cobalt Strike. It needs the extra memory to be allocate “execution” rights so the malware can run.
Sophos researchers have designed a practical protection that blocks the allocation of execution permissions from one Heap memory to another. The protection is named Dynamic Shellcode Protection.
“Preventing attackers from taking hold in a compromised network is the goal of defenders everywhere,” said Mark Loman, director of engineering, Sophos. “This goal is critical because once a remote access agent has been installed, it can facilitate most of the active adversary tactics that will take place during the attack. These include execution, credential access, privilege escalation, discovery, lateral movement, collection, exfiltration, and the release of the ransomware.
“Code intended for malicious use evades detection by being heavily obfuscated and packed and loaded directly into memory. Computer memory is not routinely scanned by security tools so that even when the code is de-obfuscated and unpacked in order to run, its presence is often not detected. Sophos has identified a characteristic – ‘Heap-Heap’ memory allocation – that is typical across multi-stage remote access agents and other attack code being loaded into memory and has built protection against it.”
Dynamic Shellcode Protection is integrated into Sophos Intercept X. It is already having an impact, uncovering the presence in memory of Cobalt Strike in a Conti ransomware attack.
General Advice for Defending Against Ransomware
- Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks
- If you need access to RDP, put it behind a VPN connection
- Use layered security to prevent, protect and detect cyberattacks, including endpoint detection and response (EDR) capabilities and managed response teams who watch networks 24/7
- Be aware of the five early indicators an attacker is present to stop ransomware attacks
- Have an effective incident response plan in place and update it as needed. If you don’t feel confident you have the skills or resources in place to do this, to monitor threats or to respond to emergency incidents, consider turning to external experts for help