Sophos research finds nearly a quarter of malware communicates using TLS
A sampling of malware analyses made over the last six months by Sophos, a global leader in nextgeneration cyber security, finds that nearly one-third of malware and unwanted applications enter the enterprise network through TLS (Transport Layer Security)-encrypted flows.
The research also observes that more malicious functions are being orchestrated from the Command and Control (C2) server, rather than implemented in the malware binary.
The research, which was released in conjunction with Sophos’ latest release of a new architecture for its XG Firewall, explains how 23 percent of malware families use encrypted communication for C2 or installation.
“Out of all the malware that made some kind of network connection during their infection process, about 23 percent communicated over HTTPS (Hypertext Transfer Protocol Secure), either to send or receive data from the C2, or during installation when they may use HTTPS to conceal the fact that they are retrieving malicious payloads or components,” Luca Nagy, a researcher at Sophos wrote in a blog article titled ‘Nearly a Quarter of Malware now Communicates Using TLS’.
The article details, for example, three common and ever-present Trojans – Trickbot, Icedid and Dridex – that leverage TLS during the course of their attacks. Cybercriminals also use TLS to hide their exploits, payloads and stolen content and to avoid detection. In fact, 44 percent of prevalent information stealers use encryption to sneak hijacked data, including bank and financial account passwords and other sensitive credentials, out from under organizations.
Network traffic encryption is more important for Trojans, especially information stealers, says the research. “An information stealer’s main goal is to collect as much data about the victim as possible, including sensitive financial information, and remain undetected while doing so. Among our sample set, information stealers made up 16 percent of the total number of samples tested during the time period.”
The newly-introduced ‘Xstream’ architecture for Sophos XG Firewall with high performance TLS traffic decryption capabilities that eliminate significant security risk associated with encrypted network traffic, which is often overlooked by security teams due to performance and complexity concerns. XG Firewall now also features Ai-enhanced threat analysis from Sophos Labs and accelerated application performance.