Theres’s been a huge uptick in the proportion of malware using TLS or the Transport Layer Security to communicate without being spotted, cybersecurity firm Sophos reports.
While HTTPS helps prevent eavesdropping, man-in-the-middle attacks, and hijackers who try to impersonate a trusted website, the protocol has also offered cover for cybercriminals to privately share information between a website and a command and control server — hidden from the view of malware hunters.
“It should come as no surprise, then, that malware operators have also been adopting TLS … to prevent defenders from detecting and stopping deployment of malware and theft of data,” Sophos said.
Malware communications fall into three main categories: downloading more malware, exfiltration of stolen data, or command and control. All these types of communications can take advantage of TLS encryption to evade detection by defenders, the security company said.
According to Sophos, a year ago 24% of malware was using TLS to communicate but today that proportion has risen to 46%.
Sophos said a large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS as unwitting storage for malware components, as destinations for stolen data, or even to send commands to botnets and other malware.
It also said it has seen an increase in the use of TLS use in ransomware attacks over the past year, especially in manually-deployed ransomware—in part because of attackers’ use of modular offensive tools that leverage HTTPS.
“But the vast majority of what we detect day-to-day in malicious TLS traffic is from initial-compromise malware: loaders, droppers and document-based installers reaching back to secured web pages to retrieve their installation packages,” it said.
“We found that while TLS still makes up an average of just over two percent of the overall traffic Sophos classifies as “malware callhome” over a three-month period, 56 percent of the unique C2 servers (identified by DNS host names) that communicated with malware used HTTPS and TLS.”
One dropper it highlights is the PowerShell-based LockBit ransomware, which remotely grabbed scripts from a Google Docs spreadsheet via TLS. But malware operators often use multiple web services for different functions.