Researchers from cybersecurity firm Sophos have reported that the use of Transport Layer Security (TLS) encrypted communications by malware has doubled in a year. The TLS protocol allows cybercriminals to privately share information between a C2 server and a website, shielding them from security systems.
What has been discovered?
In 2020, around 23% of malware was discovered to be communicating with a remote system over the internet using TLS. Now, the use of this communication protocol has increased to 46%.
- A significant fraction of TLS communications were found to be using an Internet Protocol port other than 443. For example, malware using a SOCKS or Tor proxy over a non-standard port number.
- The team of researchers discovered that 49% of the malware hosts (on ports other than 443, 80, and 8080) with TLS certificates linked with them were issued by a Certificate Authority. A small fraction was using self-signed certificates.
- The growth in overall TLS use by malware can be linked with the fact that the cloud services protected by TLS (such as Github, Pastebin, Discord, and Google’s cloud services) are increasingly being used as repositories for malware components, destinations for stolen data, and sending commands to botnet or malware.
- In addition, the increase is linked to the use of Tor or other TLS-based network proxies used for performing malicious communications between malware and the attackers behind them.
Malware using TLS protocol
Malware authors are actively using TLS-enabled infrastructure because malware delivery snippets are freely available online.
- In February, a dropper for AgentTesla was discovered to be accessing Pastebin over TLS to obtain chunks of code.
- Cobalt Strike beacons and Metasploit Meterpreter made up over 1% of all detected malware using TLS.
The reason behind malware operators increasingly adopting TLS is to prevent defenders from detecting malicious activities. Additionally, several droppers and loaders are using legitimate websites and cloud services with built-in TLS support to further disguise their malicious traffic. Moreover, such trends are expected to increase in the near future.