Cybercriminals are increasingly turning to the Transport Layer Security (TLS) cryptographic protocol to hide their malware communications.
According to Cloudflare.com, "Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP)."
During the first three months of 2021, 46 percent of malware observed used TLS to communicate with a remote system over the internet, according to a Sophos analysis of malware samples. In 2020, only 23 percent of malware tools used TLS.
It is becoming more common for threat actors to use legitimate TLS- protected cloud and Web services, including Google cloud services, Pastebin, Discord, and Github, to host malware, store stolen data, and carry out command and communication operations. Cybercriminals also increasingly use Tor and other TLS-based network proxies to encrypt communication with their malware, according to Sophos.
A senior threat researcher at Sophos stated, "The main takeaways are that there is no such thing as a 'safe' domain or service when screening for malware, and that more traditional rewall defenses based on reputation scanning without deep packet inspection cannot protect systems."
Over the past several years, experts have pushed for the use of cryptographic protocols, such as HTTPS and TLS, to protect online communications from spying and surveillance. Now, 92 percent of online traffic in the U.S. uses TLS, according to Google.
However, although the use of HTTPS and TLS has increased privacy, it also gives cybercriminals a technology they can use to hide their malware and malware communications. Jai Vijayan "Nearly half of all malware is concealed in TLS-encrypted communications" urgentcomm.com (Apr. 23, 2021).