Malproxying: Leave Your Malware at Home

DEF CON 27

Presented by: Hila Cohen, Amit Waisel
Date: Sunday August 11, 2019
Time: 12:00 - 12:45
Location: Track 2

During a classic cyber attack, one of the major offensive goals is to execute code remotely on valuable machines. The purpose of that code varies on the spectrum from information extraction to physical damage. As defenders, our goal is to detect and eliminate any malicious code activity, while hackers continuously find ways to bypass the most advanced detection mechanisms. It’s an endless cat-and-mouse game where new mitigations and features are continuously added to the endpoint protection solutions and even the OS itself in order to protect the users against newly discovered attack techniques. In this talk, we present a new approach for malicious code to bypass most of endpoint protection measures. Our approach covertly proxies the malicious code operations over the network, never deploying the actual malicious code on the victim side. We are going to execute code on an endpoint, without really storing the code on disk or loading it to memory. This technique potentially allows attackers to run malicious code on remote victims, in such a way that the code is undetected by the victim’s security solutions. We denote this technique as “malproxying”.

Hila Cohen

Hila Cohen is a passionate Security Researcher at XM Cyber, where she investigates new attack techniques and develops detection and mitigation capabilities. Hila has a vast knowledge in the fields of malware analysis, reverse engineering and incident response.

Amit Waisel

Amit Waisel is a Senior Technical Leader at XM Cyber. He is a seasoned data security expert with vast experience in cyber offensive projects. Prior to XM Cyber, Amit filled multiple data security positions in the Israeli intelligence community. Amit is well experienced with malware detection and analysis techniques, operating system internals and security-oriented software development. He graduated with honors from Tel Aviv University with a MSc. in Computer Science.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats