Sophos researchers have worked out a way to defend against such malware in memory based on how it behaves. They found that attack code shares a common behaviour in memory regardless of the type of code or its purpose. To begin with, a small file known as a “loader” is injected into the Heap memory. Sophos researchers have designed a practical protection that blocks the allocation of execution permissions from one Heap memory to another. Sophos has identified a characteristic – ‘Heap-Heap’ memory allocation – that is typical across multi-stage remote access agents and other attack code being loaded into memory and has built protection against it.”Dynamic Shellcode Protection is integrated into Sophos Intercept X.

Source: The Nation March 12, 2021 22:06 UTC