Covert Code Trying To Run in Memory is Blocked by New Sophos Protection Against “Heap-Heap” Permission Violations

Sophos Press Release

“Dynamic Shellcode Protection” is Designed to Expose Fileless Malware, Ransomware and Remote Access Agents

OXFORD, U.K. – March 4, 2021 – Sophos, a global leader in next-generation cybersecurity, today revealed a new defense against adversaries trying to evade detection by loading fileless malware, ransomware and remote access agents into the temporary memory of compromised computers. In a new blog post, “Covert Code Faces a Heap of Trouble in Memory,” Sophos researchers detail how they discovered that covert attack code is injected directly into the dynamic “Heap” region of computer memory and then tries to obtain additional “Heap” memory with code execution rights, a behavior not seen in ordinary software. The researchers developed a new protection that is triggered whenever such “Heap-Heap” memory allocation behavior is detected.

The defense, called Dynamic Shellcode Protection, will make it significantly harder for adversaries to use memory as part of their arsenal of defense evasion techniques.

As Sophos recently reported in a series of articles on the realities of Conti ransomware, the memory of compromised computers is a popular hiding place for adversaries looking to conceal their presence from defenders while they load and execute the remote access agents that will serve as enablers for the rest of the attack. In the case of Conti, the remote access agent used was Cobalt Strike.

“Preventing attackers from taking hold in a compromised network is the goal of defenders everywhere,” said Mark Loman, director of engineering, Sophos. “This goal is critical because once a remote access agent has been installed, it can facilitate most of the active adversary tactics that take place during the attack. These include execution, credential access, privilege escalation, discovery, lateral movement, collection, exfiltration, and the release of the ransomware.

“Code intended for malicious use evades detection by being heavily obfuscated and packed and loaded directly into memory. Computer memory is not routinely scanned by security tools so that even when the code is de-obfuscated and unpacked in order to run, its presence is often not detected. Sophos has identified a characteristic – ‘Heap-Heap’ memory allocation – that is typical across multi-stage remote access agents and other attack code being loaded into memory and has built protection against it.”

Dynamic Shellcode Protection is based on the fact that code such as applications are stored in memory regions that have “execution” rights. This enables the apps to run. However, the apps generally need some additional, temporary, in-memory workspace, for example to unpack or store data. This variable workspace is commonly called “Heap” memory. Apps can request their Heap memory allocation to come with execution rights.

In most cyberattacks, however, the loader for a remote access agent is injected directly into Heap memory. It then needs to obtain further executable memory from the Heap in order to accommodate the needs of the inbound remote access agent. This is referred to as “Heap-Heap” memory allocation behavior.

Sophos researchers realized that such behaviour was a clear indicator of potentially suspicious activity and designed a practical protection that blocks the allocation of execution permissions from one Heap memory to another. In doing so, the protection can intercept many cyberattacks involving remote access agents, fileless malware and ransomware, while being compatible with normal applications.

“When a process, regardless of whether it is malicious or benign, violates the Heap memory allocation barrier, the Dynamic Shellcode Protection will block it and notify defenders. Security professionals can then take a closer look at what is going on,” said Loman. “The new protection is not meant as a silver bullet for all attacks, but it does mean that adversaries face a new obstacle that blocks a fundamental behavior of their stealthy code. We hope this will make attackers’ jobs harder and more complicated. The Dynamic Shellcode Protection does not rely on the cloud or machine learning. As such it represents a paradigm shift in the ongoing battle against many obfuscated malware and memory-delivered post-exploitation agents, including Cobalt Strike Beacon.”

Dynamic Shellcode Protection is integrated into Sophos Intercept X.

General Advice for Defending Against Ransomware

  • Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks
  • If you need access to RDP, put it behind a VPN connection
  • Use layered security to prevent, protect and detect cyberattacks, including endpoint detection and response (EDR) capabilities and managed response teams who watch networks 24/7
  • Be aware of the five early indicators an attacker is present to stop ransomware attacks
  • Have an effective incident response plan in place and update it as needed. If you don’t feel confident you have the skills or resources in place to do this, to monitor threats or to respond to emergency incidents, consider turning to external experts for help

Acerca de Sophos

Sophos, líder mundial en ciberseguridad next-gen, protege a más de 400 000 empresas de todos los tamaños en más de 150 países de las ciberamenazas más avanzadas de la actualidad. Gracias al respaldo de SophosLabs, un equipo global de ciencia de datos e información sobre amenazas, las soluciones con IA y nativas en la nube de Sophos protegen endpoints (portátiles, servidores y dispositivos móviles) y redes contra las técnicas de ciberataque en evolución, como el ransomware, el malware, los exploits, la exfiltración de datos, las intrusiones de adversarios activos y el phishing, entre otras. Sophos Central, una plataforma de administración nativa en la nube, integra todo el catálogo de productos next-gen de Sophos, incluidos la solución para endpoints Intercept X y el firewall next-gen XG, en un único sistema de “Seguridad Sincronizada” accesible a través de una serie de API. Sophos ha estado impulsando una transición a la ciberseguridad next-gen, aprovechando las capacidades avanzadas de la nube, el Machine Learning, las API, la automatización y la respuesta administrada a las amenazas, entre otras, a fin de ofrecer una protección de nivel empresarial a empresas de todos los tamaños. Sophos vende sus productos y servicios exclusivamente a través de un canal global de más de 53 000 partners y proveedores de servicios administrados (MSP). Asimismo, Sophos pone a disposición de los usuarios particulares sus innovadoras tecnologías comerciales a través de Sophos Home. La empresa tiene su sede en Oxford, Reino Unido. Encontrará más información en es.sophos.com