Sophos decrypts the DNA of fileless malware - and introduces new protection technology. Dynamic Shellcode Protection detects malware such as ransomware or remote access agents running in the temporary memory and thus blocks a popular hacking technique to bypass protection programs.
Sophos presents its new protection against cyberattacks, in which malware loads itself filelessly into the temporary memory of the affected computer. Dynamic Shellcode Protection is integrated into Sophos Intercept X and can prevent attack code from nesting in the dynamic heap region of the memory.
Storage: popular hiding place for malware
The memory area of a hacked computer is a popular hiding place for malware as security scans usually do not cover the memory. As a result, the malware is less likely to be detected and blocked. The types of malware that attempt to activate itself in this way include ransomware and remote access agents. The latter often form the basis for an imminent attack, the sooner they are discovered and blocked, the better. With Dynamic Shellcode Protection, the Sophos researchers have now found a way to defend themselves against such fileless malware based on their behavior. The pivotal point here is the discovery that these special attack codes have a common behavior in the memory regardless of the specific code type or its purpose. In the blog post “Covert Code Faces a Heap of Trouble in Memory”, the Sophos researchers describe their discovery in detail.
This is how Sophos Dynamic Shellcode Protection works
Code from executable applications is typically loaded into memory. In addition, apps usually require an additional, temporary in-memory workspace, for example to unzip or save data. This variable work area is known as the "heap" memory. In most cyberattacks, the loader for a remote access agent is injected directly into the heap memory. This must draw additional executable memory from the heap in order to meet the requirements of the Remote Access Agent. This is known as "heap-to-heap" memory allocation behavior. The security specialists at Sophos identified such behavior as a clear indicator of potentially suspicious activity and developed Dynamic Shellcode Protection, a protection that blocks the assignment of execution permissions from one heap to another.
Malware in memory is often not detected
“Malicious code always tries to evade detection, for example by camouflaging it and loading it directly into memory. Such code is often not recognized by security tools, even if it is unpacked. Sophos forensics and security experts recognized that heap-to-heap memory allocation is a very common act of multi-level remote access agents and other code of attack, ”said Mark Loman, director of engineering at Sophos. “The primary goal is to prevent attackers from compromising individual computers or an entire network. That is why malware has to be detected very early in order to prevent access to login information, an extension of rights, lateral movements in the network or the collection, release and extraction of information, for example. With Dynamic Shellcode Protection, we are now in a position to meet precisely those requirements even more effectively. "
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.