Half of Q1's malware traffic observed by Sophos was TLS encrypted, hiding inside legit requests to legit services

Brit infosec outfit points to nefarious deeds within Discord, Google systems

After years of warnings about security, surveillance, and unwanted state intrusion, one group of internet-connected folk has taken heed: malware operators.

British infosec biz Sophos reckons just under half of malware traffic it saw in the wild during the opening three months of 2021 alone was using Transport Layer Security (TLS) to encrypt both its command-and-control traffic and data exfiltration. The company says that figure is up from 23 per cent of known malware traffic during the whole of 2020.

"This is traffic we're seeing directly coming from malware, or it's something that's getting activated in browser... and being detected by us," lead researcher Sean Gallagher told The Register. He was open about this only being traffic observed by Sophos, meaning the true worldwide figure for TLS-encrypted malware traffic could differ.

Formerly SSL in an earlier life, TLS is the cryptographic protocol that underpins, among other things, HTTPS web connections, as we explained in (reasonable) depth back in 2018. Briefly, it hides the contents of web traffic from external inspection, whether by government agencies or fed-up techies trying to tell the difference between a shadow IT file transfer and an in-progress ransomware attack.

The (ab)use of TLS by malicious people means life is becoming harder for defenders.

A screenshot of a ransomware infection warning on a PC display

How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director


In a blog post published today, Sophos said: "A large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS – such as Discord, Pastebin, GitHub and Google's cloud services – as repositories for malware components." It added that storage (for stolen data) and malware components alike were other reasons for malware-tainted TLS traffic to spread through these routes.

Around 80 per cent of traffic seen by Sophos in Q1 2021 could be linked to droppers, a subset of malware that gains a foothold on a target system before installing (or dropping) a further payload, the firm said.

Gallagher told The Register: "We also had seen some abuse of Google in loaders. Like, for example, we found one loader that was actually reading bits of PowerShell script out of a cell on a Google Docs spreadsheet as a method of concealing itself when it was deploying because it looks like legitimate traffic; it's requesting something from a well-known service."

Google's various cloud services accounted for 9 per cent of tainted TLS requests, with chat-for-gamers service Discord finding itself featured prominently thanks to criminals' abuse of its Cloudflare-hosted CDN to spread their malicious wares. Overall, "nearly half of all malware TLS communications went to servers in the United States and India."

The finding that criminals are using encryption to help malware evade detection is certainly not new; Sonicwall, for example, picked up on encrypted non-standard port traffic back in 2019 – something Gallagher also highlighted. In a similar vein, Kaspersky warned of a malware strain capable of decrypting TLS traffic which it labelled Reductor. That malware came from the Russian state-backed Turla hacking crew. ®

Broader topics

Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading

Biting the hand that feeds IT © 1998–2022