The volume of malware hidden in encrypted traffic has doubled over the past few months as threat actors look to circumvent security tools, according to Sophos.
The security vendor claimed that 23% of the malware it detected in 2020 was encrypted with the Transport Layer Security (TLS) protocol. However, in the first three months of 2021, the figure had grown to reach nearly 46%.
The rise can be linked to an overall increase in use of TLS by popular web services abused by threat actors, explained senior threat researcher, Sean Gallagher.
“A large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS — such as Discord, Pastebin, GitHub and Google’s cloud services — as repositories for malware components, as destinations for stolen data, and even to send commands to botnets and other malware,” he explained.
“It is also linked to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors deploying them.”
The challenge with criminals using these services is that they not only hide their activity from security tools, but also benefit from the “safe” reputation of these well-known platforms, Gallagher claimed.
Nearly half of all encrypted malware went to servers in the US and India in Q1 2021, which can partly be explained by Google cloud services — the destination for 9% of TLS malware call-homes — and India’s BSNL (6%).
Gallagher said Sophos had also seen an increase in the use of TLS encryption in customized ransomware attacks, in the form of “modular offensive tools” that use HTTPS. However, the vast majority of malicious TLS traffic is from malware designed to deliver initial compromise of a victim — for example, loaders, droppers and document-based installers, he added.
TLS encryption is also being used to hide the exfiltration of data from compromised networks and C&C communications, said Gallagher.