Security News > 2021 > April > Half of Q1's malware traffic observed by Sophos was TLS encrypted, hiding inside legit requests to legit services

British infosec biz Sophos reckons just under half of malware traffic it saw in the wild during the opening three months of 2021 alone was using Transport Layer Security to encrypt both its command-and-control traffic and data exfiltration.

He was open about this only being traffic observed by Sophos, meaning the true worldwide figure for TLS-encrypted malware traffic could differ.

In a blog post published today, Sophos said: "A large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS - such as Discord, Pastebin, GitHub and Google's cloud services - as repositories for malware components." It added that storage and malware components alike were other reasons for malware-tainted TLS traffic to spread through these routes.

Around 80 per cent of traffic seen by Sophos in Q1 2021 could be linked to droppers, a subset of malware that gains a foothold on a target system before installing a further payload, the firm said.

Overall, "Nearly half of all malware TLS communications went to servers in the United States and India."

In a similar vein, Kaspersky warned of a malware strain capable of decrypting TLS traffic which it labelled Reductor.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/21/sophos_research/