Built to replace Secure Sockets Layer (SSL), Transport Layer Security (TLS) is a series of cryptographic protocols designed to secure communications across networks. The protocol is used in email, instant messaging, and voice-over IP applications. That being said the protocol's security layer in HTTPS remains one of the protocol's primary uses. It is this use as a security layer to keep communications hidden from the view of security researchers that threat actors have latched onto. According to a recent report published by Sophos Labs in 2020, 23% of malware detected was seen abusing the TLS protocol, by the first quarter of 2021 this had skyrocketed to 46%.
Researchers determined that the large growth in TLS abuse can be linked to threat actors increasingly turning to legitimate web and cloud services protected by TLS to further attack campaigns. Services like Discord, Pastebin, GitHub, and Google’s cloud services are increasingly being used as repositories for malware. Acting as a repository for malware or specific components is not the only use malware authors have found for the above-mentioned services. Researchers have seen services being used as storage for stolen data and to send commands to botnets and other malware. Further, the increase in TLS abuse has also partly been attributed to threat actors encapsulating communications behind Tor and TLS network proxies to hide them.
Commenting on the use of these cloud-based services researchers noted,
“Google’s cloud services were the destination for nine percent of malware TLS requests, with India’s BSNL close behind. During the month of March 2021, we saw a rise in the use of Cloudflare-hosted malware—largely because of a spike in the use of Discord’s content delivery network, which is based on Cloudflare, which by itself accounted for 4 percent of the detected TLS malware that month. We reported over 9,700 malware related links to Discord; many were Discord-specific, targeting the theft of user credentials, while others were delivery packages for other information stealers and trojans…In aggregate, nearly half of all malware TLS communications went to servers in the United States and India.”
Of particular concern to enterprises is the increased use of TLS in ransomware attacks, particularly human-operated ransomware strains known for targeting large enterprises.
This is due to the modularity of the malware and how it leverages HTTPS to carry out offensive campaigns. While the use of TLS in ransomware attacks increased, the vast majority of malware strains leveraging TLS included loaders, droppers, and document-based installers that rely on TLS to access secured web pages to retrieve their installation packages. As to why loaders, droppers, and document-based installers make up the vast majority is that the infrastructure they leverage already supports TLS or code snippets doing exactly that are freely available.
Another use of TLS that threat actors have found useful is to hide or further obfuscate communication between the victim’s machine and the attacker’s command-and-control server. Researchers noted,
“Malware operators can use TLS to obfuscate command and control traffic. By sending HTTPS requests or connecting over a TLS-based proxy service, the malware can create a reverse shell, allowing commands to be passed to the malware, or for the malware to retrieve blocks of script or required keys needed for specific functions. Command and control servers can be a remote dedicated web server, or they can be based on one or more documents in legitimate cloud services. For example, the Lampion Portuguese banking trojan used a Google Docs text document as the source for a key required to unlock some of its code—and deleting the document acted as a kill-switch. By leveraging Google Docs, the actors behind Lampion were able to conceal controlling communications to the malware and evade reputation-based detection by using a trusted host.”
“The same sort of connection can be used by malware to exfiltrate sensitive information—transmitting user credentials, passwords, cookies, and other collected data back to the malware’s operator. To conceal data theft, malware can encapsulate it in a TLS-based HTTPS POST, or export it via a TLS connection to a cloud service API, such as Telegram or Discord “bot” APIs.”
Infamous Malware seen Abusing TLS
While researchers at Sophos Labs discovered numerous strains of malware leveraging TLS in some form or the other, several well-known strains have likewise leveraged the protocol. SystemBC which can best be described as a malicious multifaceted communication tool is one such piece of offending malware. Part of the malware’s popularity resides in the fact that it is available for purchase on underground hacker forums and used by other threat actors to supplement attacks. When the malware was discovered over a year ago it acted mainly as a network proxy, encrypting communications via TLS with the connection itself based on SOCKS5 remote proxy connection. Now the malware acts more like a feature-rich remote access trojan (RAT) to provide a persistent backdoor.
The malware makes use of both TLS encrypted communications and non-TLS communication. For the TLS communications, the first use of the protocol is an HTTPS request to a proxy for IPify, an API that can be used to obtain the public IP address of the infected system. The request is not sent to the typical TLS port of 443 but 49271. Then SystemBC establishes a TLS connection to a Tor gateway picked from the Tor network data. Again, it uses another non-standard port, namely, 49274. The malware then attempts to retrieve another known backdoor creating malware, henos.exe, that connects over TLS on the standard port, 443, to a website that returns links to Telegram channels.
Researchers have also seen Agent Tesla, a piece of malware capable of being both an information stealer and a RAT. According to researchers the latest version, in a long line of versions spanning several years, has an option to use the Tor anonymizing network to conceal traffic with TLS. Researchers further discovered that,
“We’ve also seen TLS used in one of AgentTesla’s most recent downloaders, as the developers have used legitimate web services to store chunks of malware encoded in base64 format on Pastebin and a lookalike service called Hastebin. The first stage downloader further tries to evade detection by patching Windows’ Anti-Malware Software Interface (AMSI) to prevent in-memory scanning of the downloaded code chunks as they’re joined and decoded.”
The Tor addition is used primarily to conceal communications over HTTP. It is important to note that the malware’s developer at the time of writing has not included the capability to run HTTPS communications through the malware itself but can make use of Telegram’s bot API to do so.
Dridex is yet another malware strain seen abusing TLS. The banking trojan with a long history was first spotted in 2011 and has gone through significant changes since then. Current versions of the malware make use of being able to fetch and download specific modules depending on what the attackers want to do, much in the same way TrickBot has used in the past. Each module is responsible for performing specific functions: stealing credentials, exfiltrating browser cookie data or security certificates, logging keystrokes, or taking screenshots.
Now the malware has been updated to conceal communications, encapsulating them with TLS. It uses HTTPS on port 443 both to download additional modules from and exfiltrate collected data to the command-and-control server. Exfiltrated data can additionally be encrypted with RC4 to further conceal and secure it if the attacker deems this extra layer of encryption necessary. Dridex also has a resilient infrastructure of command-and-control servers, allowing installed malware to switch over to a backup if its original command server goes down.
Sophos researchers also warned that other off-the-shelf tools are making use of TLS, stating,
“We also see the use of off-the-shelf offensive security tools and other ready-made tools and application programming interfaces that make using TLS-based communications more accessible continuing to grow. The same services and technologies that have made obtaining TLS certificates and configuring HTTPS websites vastly simpler for small organizations and individuals have also made it easier for malicious actors to blend in with legitimate Internet traffic, and have dramatically reduced the work needed to frequently shift or replicate C2 [command-and-control] infrastructure.”