A common cryptographic protocol used to protect the majority of website communications and some virtual private networks is increasingly being used by threat actors to protect their attacks, according to a new report.
“In 2020 we found that 23 per cent of malware we detected communication with a remote system over the internet were using TLS,” the report says. “Today it is nearly 46 per cent.”
Much of this can be linked in part to the increased use of legitimate web and cloud services protected by TLS — such as Discord, Pastebin, Github and Google’s cloud services — as repositories for malware components, as destinations for stolen data, and even to send commands to botnets and other malware, the report adds.
It’s also linked to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors deploying them.
Google’s cloud services were the destination for nine percent of malware TLS requests, closely followed by India’s. Last month Sophos saw a rise in the use of Cloudflare-hosted malware — largely because of a spike in the use of Discord’s content delivery network, which is based on Cloudflare. This accounted for four percent of the detected TLS malware that month. Researchers found over 9,700 malware-related links to Discord. Many were Discord-specific, targeting the theft of user credentials, while others were delivery packages for other information stealers and trojans.
Nearly half of all malware TLS communications went to servers in the United States and India, researchers found.
Researchers also saw an increase in TLS use in ransomware attacks over the past year, especially in manually-deployed ransomware. This is in part, the report says, because of attackers’ use of modular offensive tools that leverage HTTPS.
Sophos argues that malware communications typically fall into three categories: downloading additional malware, exfiltration of stolen data and retrieval or sending of instructions to a command and control server, all of which can leverage TLS.
The vast majority of malicious TLS traffic is of the first kind: loaders, droppers and other malware downloading additional malware to the system they infect. TLS is used to try to evade basic payload inspection.
“It doesn’t take much sophistication to leverage TLS in a malware dropper,” according to the report. “because TLS-enabled infrastructure to deliver malware or code snippets is freely available. Frequently, droppers and loaders use legitimate websites and cloud services with built-in TLS support to further disguise the traffic.”
The PowerShell-based dropper for LockBit ransomware was observed retrieving additional script from a Google Docs spreadsheet via TLS, the report notes, as well as from another website. And a dropper for the AgentTesla information stealer also has been seen accessing Pastebin over TLS to retrieve chunks of code. While Google and Pastebin often quickly shut down malware-hosting documents and websites on its platform, attackers simply create new ones for their next attack.
Malware operators can use TLS to obfuscate command and control traffic, the report points out. By sending HTTPS requests or connecting over a TLS-based proxy service, the malware can create a reverse shell. This allows commands to be passed to the malware, or for the malware to retrieve blocks of script or required keys needed for specific functions. Command and control servers can be a remote dedicated web server, or they can be based on one or more documents in legitimate cloud services.
For example, the Lampion Portuguese banking trojan used a Google Docs text document as the source for a key required to unlock some of its code. Deleting the document acted as a killswitch. By leveraging Google Docs, the actors behind Lampion were able to conceal controlling communications to the malware and evade reputation-based detection by using a trusted host.
More recently the Dridex trojan has been updated to encapsulate communications with TLS, using HTTPS on port 443 to both download modules and exfiltrate data. In addition the Cobalt Strike and Metasploit toolkits often used by ransomware groups use TLS.
The report gives other examples of TLS abuse.
One problem for defenders is that some malware use TLS over non-standard IP ports, so analysts may underestimate its usage.
“TLS can be implemented over any assignable IP port,” the report indicates. “And after the initial handshake it looks like any other TCP application traffic.”
The other problem is the abuse of its in cloud and web services like Google Docs, Discord, Telegram, Pastebin and others.
“The same services and technologies that have made obtaining TLS certificates and configuring HTTPS websites vastly more simple for small organizations and individuals have also made it easier for malicious actors to blend in with legitimate Internet traffic, and have dramatically reduced the work needed to frequently shift or replicate C2 infrastructure.
“Without a defense in depth, organizations may be increasingly less likely to detect threats on the wire before they have been deployed by attackers.”
Sophos released the report to coincide with the release of new XGS series firewall appliances that include TLS inspection. Most firewalls include TSL inspection.