Table of Contents
Despite growing business investments in cybersecurity and new breakthrough innovations, something funny keeps happening: cybercrime continues to accelerate, innovate and succeed.
One of the more innovative techniques that is happening with greater frequency than ever is in memory, runtime-based attacks. These differ from traditional attacks that rely on malicious executables stored on disk, instead operating within application memory during runtime. As a result, they leave virtually no evidence for defenders to detect – it’s the perfect cybercrime.
One type of in-memory, runtime-based attack is process injection, which executes malicious code within the memory space of legitimate running processes. It leverages multiple methods of injecting code, including PE Injection, thread execution hijacking, Atom Bombing and others.
A subset of this technique is memory code injection, which writes code directly into memory. In this instance, the malware then distributes and re-injects itself into legitimate processes. This includes those that are vital to normal Windows operating activities.
These in-memory techniques represent a fundamental shift in the threat landscape, creating challenges for organizations that rely on traditional detection-based defenses alone. Naturally, since attackers are finding success with these techniques, they are not going away – according to Google’s Project Zero, two-thirds of zero-day exploits detected in the wild in 2024 utilized memory corruption vulnerabilities, highlighting their persistent exploitation by attackers.
Here’s a deeper look into why these in-memory attacks are wreaking such havoc for security teams today.
A Shift Beyond Traditional Malware
In the not-so-distant past, the majority of cyber-attacks depended on executables, and these left clear evidence on disk. For example, attackers would install malicious software onto victim devices.
From there, endpoint protection platforms (EPP), endpoint detection and response (EDR/XDR), and antivirus (AV) solutions would scan for known attack patterns, suspicious behaviors and identifiable signatures. Next, security teams would identify and neutralize threats. In a world of traditional malware, this approach was sufficient. However, when it comes to modern attack chains that exploit runtime memory, it’s a different story.
In-memory attacks bypass traditional defenses because they don’t create permanent files on a system. This is like asking Sherlock Holmes to use his magnifying glass to look for fingerprints and other clues that simply don’t exist. Some examples of this new age of malware strains include Emotet, Jupyter and Cobalt Strike which execute directly in memory.
This allows attackers to manipulate legitimate processes, escalate privileges or move laterally within a victim’s environment – all while evading signature-based detection tools.
The Challenges of Scanning Device Memory
One of the primary reasons in-memory attacks are so difficult to detect and prevent is that data is temporary and constantly changing. Making matters worse, it exists only while systems are on, which makes securing a representative snapshot of memory at any given moment challenging.
Adding to the challenge is that any power loss or system reboot will result in a total loss of all critical evidence. So, what options does this leave for defense? Companies would require a solution capable of:
- Continuously scanning large memory regions for suspicious activity
- Identifying malicious patterns within complex, dynamic runtime environments
- Doing so without negatively impacting application performance
Also consider the scale of what we’re talking about. In a typical runtime environment, a single application may use 4GB or more of virtual memory. To scan this memory space on a regular basis in search of potentially malicious activity and doing so in real-time is impracticable.
In fact, even the best technologies in use right now can only scan about 3-4% of this memory, which provides attackers with plenty of places to lurk in the shadows. Adding to the challenge is the fact that businesses use hundreds of applications on a daily basis.
Today’s increasingly sophisticated threats use polymorphism to alter their structure dynamically while retaining functionality, even during runtime. As a result of this obfuscation, a piece of malicious code can change every time the team runs a scan, which allows it to easily avoid signature-based detection.
Attackers can also tamper with or bypass memory hooks. Defenders rely on memory hooks to monitor runtime activity, so when they are damaged or avoided, a team’s ability to examine memory processes dwindles dramatically.
In-Memory Threats in Action
In-memory attacks aren’t new. They first emerged in the mid-2010s, with the best example being the Angler Exploit Kit. Since then, in-memory techniques have surged. Today, rather than targeting individual endpoints, in-memory attacks target critical infrastructure, including servers and virtualized environments. The goal is often to exfiltrate sensitive data, deploy ransomware and disrupt operations.
A Call for Preventive Measures
Given the stealth and adaptability of in-memory attacks, relying solely on detection and response capabilities is insufficient. Traditional tools designed to identify post-compromise activity often fail to catch these threats until significant damage has been done. Instead, organizations must prioritize proactive measures to prevent runtime memory compromise.
One effective approach involves creating a dynamic defense environment that randomizes memory structures, APIs and system resources during runtime, which naturally makes it significantly harder for attackers to locate and exploit vulnerabilities. This strategy does something the more traditional ones don’t: it forces attackers to adapt to an unpredictable and shifting landscape.
However, this randomization alone is just part of a winning recipe. Organizations should also deploy multi-layered preemptive cyber defense strategies that combine advanced endpoint protection, behavioral analytics, threat intelligence and automated moving target defense technology to proactively stop threats before they can do damage.
Regular patching and hardening of systems, particularly those with memory-intensive applications, are also essential to maintain good hygiene. Comprehensive employee training and robust access controls further reduce the risk of exploitation.
Conclusion
In-memory runtime attacks represent some of the most sophisticated and disruptive threats in the modern cyber landscape. By leveraging the fast-moving nature of application memory, these attacks evade traditional defenses and exploit fundamental vulnerabilities in runtime environments.
It’s imperative that businesses take action to strengthen defenses against in-memory in order to safeguard their sensitive data, maintain operational continuity and protect organizations from reputational and financial harm.
In this rapidly changing threat environment, building resilience with a preemptive cyber defense approach is essential for any organization striving to stay ahead of adversaries.
