Mumbai: Malware in memory of a hacked computer according to Sophos is a popular hiding place for malware. Security scans don’t tend to cover memory so malware is less likely to be detected and blocked.
The types of malware in memory or memory resident-malware attacks include ransomware and remote access agents. In such attacks, the attackers try to install the attack code or hide the malware in memory of the hacked systems. Remote access agents are the enablers for the rest of an attack – so the earlier they are spotted and blocked the better.
Sophos researchers have worked out a way to defend against such malware in memory based on how it behaves. They found that attack code shares a common behaviour in memory regardless of the type of code or its purpose.
· Attack code injected into the memory part is known as the “Heap” but it’s unlike the normal software applications installed in the main memory region.
The function of Heap is to provide temporary additional memory space for applications that need some extra room. For example, to store or unpack code.
· Adversaries add their attack code in stages – begins with a small file known as a “loader” injected into the Heap memory.
The loader then needs extra Heap memory space to accommodate the needs of the main payload, which could be a remote access agent like Cobalt Strike. It needs the extra memory for the allocated “execution” rights so the malware can run.
Sophos researchers have designed practical protection that blocks the allocation of execution permissions from one Heap memory to another. This protection is named Dynamic Shellcode Protection.
Preventing attackers from taking hold in a compromised network is the goal of defenders everywhere, according to Mark Loman, Director of Engineering, Sophos.
“This goal is critical because once a remote access agent has been installed. It can facilitate most of the active adversary tactics that will take place during the attack. These include execution, credential access, privilege escalation, discovery, lateral movement, collection, exfiltration, and the release of the ransomware,” said Loman.
“Code intended for malicious use evades detection with heavily obfuscated and packed and loaded directly into memory. Security tools do not routinely scan computer memory. When the code is de-obfuscated and unpacked in order to run, its presence is often undetected,” explained Loman.
He informed that Sophos has identified a characteristic. “Heap-Heap memory allocation – that is typical across multi-stage remote access agents. And other attack code being loaded into memory and has built protection against it,” said Loman.
Dynamic Shellcode Protection integrated into Sophos Intercept X is already having an impact, uncovering the presence in memory of Cobalt Strike in a Conti ransomware attack.