This article is more than 1 year old

Half of Q1's malware traffic observed by Sophos was TLS encrypted, hiding inside legit requests to legit services

Brit infosec outfit points to nefarious deeds within Discord, Google systems

After years of warnings about security, surveillance, and unwanted state intrusion, one group of internet-connected folk has taken heed: malware operators.

British infosec biz Sophos reckons just under half of malware traffic it saw in the wild during the opening three months of 2021 alone was using Transport Layer Security (TLS) to encrypt both its command-and-control traffic and data exfiltration. The company says that figure is up from 23 per cent of known malware traffic during the whole of 2020.

"This is traffic we're seeing directly coming from malware, or it's something that's getting activated in browser... and being detected by us," lead researcher Sean Gallagher told The Register. He was open about this only being traffic observed by Sophos, meaning the true worldwide figure for TLS-encrypted malware traffic could differ.

Formerly SSL in an earlier life, TLS is the cryptographic protocol that underpins, among other things, HTTPS web connections, as we explained in (reasonable) depth back in 2018. Briefly, it hides the contents of web traffic from external inspection, whether by government agencies or fed-up techies trying to tell the difference between a shadow IT file transfer and an in-progress ransomware attack.

The (ab)use of TLS by malicious people means life is becoming harder for defenders.

A screenshot of a ransomware infection warning on a PC display

How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director


In a blog post published today, Sophos said: "A large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS – such as Discord, Pastebin, GitHub and Google's cloud services – as repositories for malware components." It added that storage (for stolen data) and malware components alike were other reasons for malware-tainted TLS traffic to spread through these routes.

Around 80 per cent of traffic seen by Sophos in Q1 2021 could be linked to droppers, a subset of malware that gains a foothold on a target system before installing (or dropping) a further payload, the firm said.

Gallagher told The Register: "We also had seen some abuse of Google in loaders. Like, for example, we found one loader that was actually reading bits of PowerShell script out of a cell on a Google Docs spreadsheet as a method of concealing itself when it was deploying because it looks like legitimate traffic; it's requesting something from a well-known service."

Google's various cloud services accounted for 9 per cent of tainted TLS requests, with chat-for-gamers service Discord finding itself featured prominently thanks to criminals' abuse of its Cloudflare-hosted CDN to spread their malicious wares. Overall, "nearly half of all malware TLS communications went to servers in the United States and India."

The finding that criminals are using encryption to help malware evade detection is certainly not new; Sonicwall, for example, picked up on encrypted non-standard port traffic back in 2019 – something Gallagher also highlighted. In a similar vein, Kaspersky warned of a malware strain capable of decrypting TLS traffic which it labelled Reductor. That malware came from the Russian state-backed Turla hacking crew. ®

More about


Send us news

Other stories you might like