Malware operators leverage TLS in 46% of detected communications

Cyber Security News

Urs Holzle, Senior Vice President for Technical Infrastructure at Google, speaks on the Google Cloud Platform during a Google I/O Developers Conference in San Francisco, California. A large portion of growth in TLS use by malware operators is attributed to increased use of legitimate web and cloud services protected by TLS, including Discord, Pastebin, Github and Google’s cloud services. (Photo by Stephen Lam/Getty Images)

Researchers have found that as Transport Layer Security (TLS) has grown to account for some 98% of all web page visits, use of TLS among malware operators increased from 23% of all malware detected in 2020 to nearly 46% today.

In a blog post Wednesday, Sophos researchers said malware operators have also been adopting TLS for essentially the same reasons as legitimate companies: To prevent defenders from detecting and stopping the deployment of malware and data theft.

Sophos linked a large portion of the growth in TLS use by malware operators to the increased use of legitimate web and cloud services protected by TLS, including Discord, Pastebin, Github and Google’s cloud services. These sites have become repositories for malware components, destinations for stolen data and they have been known to send commands to botnets and other malware. Sophos also linked the use of TLS among malware operators to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the threat actors deploying the bad code.

As network and data encryption has become commonplace in protecting personal and enterprise data, Charles Herring, co-founder and chief technology officer of WitFoo, said cybercriminals have increasingly adopted the same advances in encryption to protect their own privacy in carrying out attacks.

“Cybersecurity analysts and investigators have had to adjust techniques to account for these obfuscation approaches from criminals,” Herring said. “Modern investigations require comprehending, corroborating and evolving data from endpoints, agents, servers, network and cloud data sources. SecOps that historically relied on deep network packet analysis to track down attackers are having to develop skills and tactics in other data domains to cover the gaps left by pervasive encryption.”

Zach Jones, senior director of detection research at WhiteHat Security, said the evolution and growth of TLS has been driven by a clear recognition that TLS serves as a foundational requirement to secure application delivery.

“Setting up TLS for any application – including malware – has become very easy,” Jones said. “Therefore it’s a simple way for malware authors to decrease the chance of their command and control communications being flagged as malicious.”