Secure Communication Used in 50% Malware Attacks to Evade Detection

April 26, 2021 - Research from cybersecurity firm Sophos shows an increasing number of malware threat actors are levering Transport Layer Security (TLS) to hide communication between the victim and their command and control server.

The TLS cryptographic protocol was designed to secure the privacy and security of legitimate web, messaging, and application traffic. It’s leveraged by the HTTPS, StartTLS email protocol, Tor, and virtual private networks (VPNs).

The SSL/TLS encryption is the industry-standard method for protecting data in transit. Cyberattacks utilizing the encrypted channels aren’t altogether new. Previous ZScaler ThreatLabZ research found hackers were using the encryption channels to bypass legacy security controls.

In fact, SSL-based attacks have increased by 260 percent since 2019 with the healthcare sector as the leading target.

Hackers are adopting TLS to prevent system defenders from detecting and thwarting malware attacks and data theft. In 2020, malware using TLS to evade detection made up 23 percent of attacks.

Since the start of the year, researchers observed 46 percent of overall attacks using TLS-based communications. HTTP port 80 is the second-most leveraged communication channel in 2021, making up 31.2 percent of overall malware attacks.

To better understand how the use of TLS for malware deployment has changed, Sophos used its detection telemetry data to measure how often TLS is used by malware, the most common malware leveraging the protocol, and how the malware uses the encrypted communications.

Sophos found that while TLS made up just 2 percent of overall traffic classified as “malware callhome” in the last three months, 56 percent of the unique C2 servers that communicated with malware -- used HTTPS and TLS. Of that traffic, about 25 percent of the infrastructure resides in Google’s cloud environment.

Malware communications fall into three main categories: to download further malware, to exfiltrate data, and to retrieve or send instructions to launch specific functions.

“All these types of communications can take advantage of TLS encryption to evade detection by defenders,” researchers explained. “But the majority of TLS traffic we found tied to malware was of the first kind: droppers, loaders and other malware downloading additional malware to the system they infected, using TLS to evade basic payload inspection.”

“It doesn’t take much sophistication to leverage TLS in a malware dropper, because TLS-enabled infrastructure to deliver malware or code snippets is freely available,” they added. “Frequently, droppers and loaders use legitimate websites and cloud services with built-in TLS support to further disguise the traffic.”

Researchers have seen a range of attacks with these behavioral tactics. For example, a PowerShell-based dropper used in a LockBit ransomware attack was seen retrieving additional script from a Google Doc spreadsheet and another website via TLS.

In another example, an AgentTesla dropper was observed accessing Pastebin via TLS to retrieve malicious code. AgentTesla is an information stealer that often functions as a remote access trojan. It was recently updated with an option to use TOR to conceal traffic with TLS.

In both instances, Google and Pastebin quickly shut down the documents and sites hosting malware, researchers explained that many of these C2 sources are abandoned after just one spam campaign. Thus, the attackers will then create new pages for their next campaigns.

The growth in overall TLS use by malware can be partially “linked to the increased use of legitimate web and cloud services protected by TLS—such as Discord, Pastebin, Github and Google’s cloud services—as repositories for malware components, as destinations for stolen data, and even to send commands to botnets and other malware.”

“It is also linked to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors deploying them,” according to the report.”

Ransomware attacks using TLS for communication have also increased in 2021, particularly those that are manually deployed “in part because of attackers’ use of modular offensive tools that leverage HTTPS.”

Threat actors also leverage TLS to obfuscate command and control traffic, sending HTTPS requests or connecting over a TLS-based proxy service. These methods allow an attacker to create a reverse shell, pass commands to the malware, and enable the malware to retrieve blocks of script or keys for specific functions.

The report also shed light on several other campaigns leveraging TLS to hide malicious activities. Overall, there’s been an increase of more than 100 percent in TLS-based malware communications since 2020. But researchers noted that these are conservative estimates based on limited data.

“Malware authors’ abuse of legitimate communication platforms gives them the benefit of encrypted communications provided by Google Docs, Discord, Telegram, Pastebin and others—and, in some cases, they also benefit from the “safe” reputation of those platforms,” researchers explained.

“All of these factors make defending against malware attacks that much more difficult,” they concluded. “Without a defense in depth, organizations may be increasingly less likely to detect threats on the wire before they have been deployed by attackers.”

Healthcare entities should review previous NSA insights for eliminating obsolete TLS, which can help adminsitrators find obsolete protocols and replace them with those that leverage strong encryption and authentication to protect sensitive data.