Nearly a quarter of malware now communicates using TLS
Encryption is one of the strongest weapons malware authors can leverage: They can use it to obfuscate their code, to prevent users (in the case of ransomware) from being able to access their files, and for securing their malicious network communication.
As websites and apps more widely adopt TLS (Transport Layer Security) and communicate over HTTPS connections, unencrypted traffic may draw even more attention, since it’s easier for analysts and security tools to identify malicious communication patterns in those plain HTTP sessions. Malware authors know this, and they’ve made it a priority to adopt TLS and thereby obfuscate the contents of malicious communication.
One of the reasons why it’s easier to find signs of malicious activity in unencrypted traffic is that recent releases of malware tends to phone home more frequently than it used to, and when it does, sends increasingly larger volumes of profiling information about the target machine and network back to its operators. After it identifies the victim, malware increasingly communicates with its operator(s) in order to perform network reconnaissance, and to send the collected information to its command and control server.
This kind of information theft can be a precursor to a subsequent targeted attack, or can be used for blackmail, or sold to other criminals who may abuse it in a variety of ways. Without the protective layer of TLS encryption obfuscating the contents of this communication, a sharp-eyed analyst or data loss prevention tool might easily catch this type of theft in the act, before the malware may cause harm.
We’ve also observed that, increasingly, more malicious functions are being orchestrated from the command-and-control (C2) server, rather than implemented in the malware binary, and the C2s make decisions about what the malware should do next based on the exfiltrated data, which increases the volume of network traffic. Malware authors also want to empower their binaries with newer features and refresh them more often, which also increases the need for secure network communication, to prevent network-level protection tools from discovering an active infection inside the network every time it downloads an updated version of itself.