NEWS > March 2021

Covert Code Trying To Run in Memory is Blocked by New Sophos Protection Against “Heap-Heap” Permission Violations

 

 

 

 

 

 

Covert Code Trying To Run in Memory is Blocked by New Sophos Protection Against “Heap-Heap” Permission Violations

March 4, 2021- Sophos, a global leader in next-generation cybersecurity, today revealed a new defense against adversaries trying to evade detection by loading fileless malware, ransomware and remote access agents into the temporary memory of compromised computers. In a new blog post, “Covert Code Faces a Heap of Trouble in Memory,” Sophos researchers detail how they discovered that covert attack code is injected directly into the dynamic “Heap” region of computer memory and then tries to obtain additional “Heap” memory with code execution rights, a behavior not seen in ordinary software. The researchers developed a new protection that is triggered whenever such “Heap-Heap” memory allocation behavior is detected.

The defense, called Dynamic Shellcode Protection, will make it significantly harder for adversaries to use memory as part of their arsenal of defense evasion techniques.

As Sophos recently reported in a series of articles on the realities of Conti ransomware, the memory of compromised computers is a popular hiding place for adversaries looking to conceal their presence from defenders while they load and execute the remote access agents that will serve as enablers for the rest of the attack. In the case of Conti, the remote access agent used was Cobalt Strike.

“Preventing attackers from taking hold in a compromised network is the goal of defenders everywhere,” said Mark Loman, director of engineering, Sophos. “This goal is critical because once a remote access agent has been installed, it can facilitate most of the active adversary tactics that take place during the attack. These include execution, credential access, privilege escalation, discovery, lateral movement, collection, exfiltration, and the release of the ransomware.

Dynamic Shellcode Protection is based on the fact that code such as applications are stored in memory regions that have “execution” rights. This enables the apps to run. However, the apps generally need some additional, temporary, in-memory workspace, for example to unpack or store data. This variable workspace is commonly called “Heap” memory. Apps can request their Heap memory allocation to come with execution rights.

In most cyberattacks, however, the loader for a remote access agent is injected directly into Heap memory. It then needs to obtain further executable memory from the Heap in order to accommodate the needs of the inbound remote access agent. This is referred to as “Heap-Heap” memory allocation behavior.

Dynamic Shellcode Protection is integrated into Sophos Intercept X .

Sophos solutions are available in UK through Simple IT Distribution LTD, Sophos Partner in UK.

 

About Simple IT Distribution LTD

Simple IT Distribution LTD is backed by 10 years of experience in Value Added IT Distribution. What sets us apart from the crowd is our customer-centric approach, the quality services (consulting, implementation, training, support), and the people behind them, which are experienced and certified proffessionals. We provide sales and technical advice and deliver the solutions that best meed our customers' diverse technology needs. Our partners are hand-picked from the top vendors, and we back up their solutions with certified professionals, to give you nothing but the best.

For more information, please visit www.simpleit-distribution.co.uk .