Sophos has announced Dynamic Shellcode Protection, a defense that can protect organizations against cyberattacks that involve fileless malware and ransomware and remote access agents. The news comes after Sophos researchers discovered cybercriminals have been injecting covert attack code into the dynamic "Heap" region of computer memory to try to obtain additional Heap memory with code execution rights.
Dynamic Shellcode Protection can be triggered any time suspicious Heap-Heap memory allocation behavior is detected, Sophos said. In doing so, Dynamic Shellcode Protection can make it difficult for cybercriminals to use memory as part of their defense evasion techniques.
How Does Dynamic Shellcode Protection Work?
Dynamic Shellcode Protection detects and blocks Heap memory allocation barrier violations, Sophos Director of Engineering Mark Loman said. It is based on the fact that applications are stored in computer memory regions that have "execution" rights that enable apps to run.
Apps may need an additional, temporary, in-memory workspace (Heap memory) to unpack or store data, Sophos noted. In these instances, apps can request their Heap memory allocation to come with execution rights.
During a Heap-Heap attack, the loader for a remote access agent can be injected into Heap memory, Sophos pointed out. It then needs to obtain further executable memory from the Heap to accommodate the needs of the inbound remote access agent.
Dynamic Shellcode Protection prevents the allocation of execution permissions from one Heap memory to another to intercept cyberattacks that involve fileless malware and ransomware or remote access agents, Loman noted. It has been integrated into Sophos's Intercept X endpoint protection solution and is compatible with normal applications and does not leverage the cloud or machine learning.