Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Rise in Malware Using Encryption Shows Importance of Network Traffic Inspection

The criminal use of encryption to hide malware is growing rapidly. In the first half of 2019 the use of encryption by malware almost equaled the entire encrypted volume of 2018, and is not likely to slow. Today, nearly a quarter of malware communicates using TLS.

The criminal use of encryption to hide malware is growing rapidly. In the first half of 2019 the use of encryption by malware almost equaled the entire encrypted volume of 2018, and is not likely to slow. Today, nearly a quarter of malware communicates using TLS.

The reason is simple: encryption obfuscates malware code, making it difficult to analyze; prevents users from accessing the component files in the event of an infection; and hides and secures the attackers’ malicious network communication. In short, malware encryption makes it harder for traditional defenses to detect and mitigate that malware.

Malware normally collects victim machine data as the first phase of victim reconnaissance. If this data is encrypted before being sent back to the attacker — especially if the destination is a legitimate service (like Pastebin or GitHub) that also normally communicates with encryption — it is less likely to be detected as any form of communication from internal malware to external attacker.

The success of hiding malware communications within encryption may partly explain the growth of malware taking new instructions from its C2 server over having the entire functionality coded within the malware. This in turn makes the initial malware infection smaller and less likely to be detected. “Without the protective layer of TLS encryption obfuscating the contents of this communication,” writes SophosLabs threat researcher Luca Nagy, “a sharp-eyed analyst or data loss prevention tool might easily catch this type of theft in the act, before any harm may come as a result.”

SophosLabs wanted to quantify the extent of encryption use by malware, and looked at a selection of malware analyses from the last six months. “Around 23% of all malware families we sampled use encrypted communication to send or receive data from the C2, or during installation when they may use https to conceal the fact that they are retrieving malicious payloads or components,” it found.

Sixteen percent of the malware samples examined were infostealers — but 44% of those (much higher than the average 23% of all samples) — communicated via port 443 (the standard port used for TLS-encrypted https communications). 

The report highlights three prolific malware families that use encrypted communications. The first is TrickBot, malware who’s primary goal is to steal information about the system, user, their browsers, the network on which the computer is running, the email accounts that belong to the victim, and particularly, bank or financial account passwords or other credentials. It can be delivered directly, or dropped by other malware such as Emotet.

TrickBot usually downloads its modules using https before injecting them into an instance of the legitimate Windows component svchost.exe. It exfiltrates the data it collects using an https POST method, using the standard TLS port 443 and sometimes 449/TCP. This data is further encrypted using CryptoAPI.

Advertisement. Scroll to continue reading.

The second family is IcedID, a banking trojan that uses web injection attacks against browsers. It too injects itself into svchost.exe, and can spread laterally through the network. Like TrickBot, it uses SSL/TLS for C2 communication. Configuration files are downloaded over TLS, while the responses are also encrypted using the RC4 cipher.

The third family is Dridex, a banking trojan delivered by phishing campaigns and sometimes dropped by Emotet. It has been under continuous development since being first spotted in 2011. It is also an infostealer with the ability to steal credentials, cookies, certificates, keystrokes, and even take screenshots. 

“Dridex frequently uses HTTPS on port 443 to download payload modules or send the collected data,” comments SophosLabs. “The exfiltrated data can additionally be encrypted using RC4, if the attacker desires.”

The primary message in this report is that the proportion of malware implementing TLS to protect its communication has been and will likely continue to increase, which raises strong concerns about the ability to detect and defend against the adoption of transport layer security by malicious actors. The three malware families discussed in the report have been among the most prolific and successful malwares in recent years — and the use of encryption will at least partly explain their success.

“In order to protect yourself,” concludes SophosLabs, “it’s important to inspect network traffic and check the TLS certificate details of https communications. You should pay significant attention to unusual or unexpected volumes of https traffic to unknown domains or using invalid or forged TLS certificates.”

Related: Malware Attacks on Business Grow as Threats Become More Sophisticated 

Related: Dexphot Malware Uses Randomization, Encryption, and Polymorphism

Related: Meet Phoenix Keylogger, a New Malware-as-a-Service Product Gaining Traction 

Related: SSL Increasingly Abused by Malware, Phishing: Report

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...