Skip to main content
banner image
venafi logo

Are You Ready for Malware Using TLS for Obfuscation? [It’s Increasing]

Are You Ready for Malware Using TLS for Obfuscation? [It’s Increasing]

malware obfuscation
February 19, 2020 | Guest Blogger: Kim Crawley

Cryptography is a tool like any other. It can be used to help, and it can be used to harm. My kitchen knives can be used to cut food or as weapons. A campfire can burn a house down, but it can also protect outdoor adventurers from hypothermia. It’s all about how you use it.

Absolutely all of your data in transit should be encrypted, whether on the internet or within your internal networks. That’s fortunately accepted wisdom in the cybersecurity industry now. When properly implemented and managed, TLS can be one of the best ways to encrypt your data in transit. Even the most recent version, TLS 1.3, is well supported in web browsers and other types of client software these days. Unfortunately, cyber attackers know that too.

The Malware of Today

Malware is rapidly evolving and the threats that exist now are often quite different from ten years ago. Fileless malware, which only runs in the memory of its target, is on the rise. It takes more than just antivirus signatures to detect malware now. Network anomaly detection is frequently needed in order to detect malware. And more and more malware now is modular. The first few pieces of malicious code may simply forge a connection between the target and the cyber attackers’ command and control servers. Then the command and control servers can send modules to the target that can act as spyware, illicitly mine cryptocurrency, become ransomware, or do many other awful things. I first saw modular malware on Android devices, but now all major platforms are affected, including Windows, macOS and iOS.



With all of those different malware components being sent between command and control servers and infected machines, more and more data is sent through networks. That means more and more data that IDS, IPS, and antivirus software can examine in order to detect anomalies. So cyber attackers are getting smarter. They’re encrypting their data in transit in order to evade detection. According to findings from Sophos Labs, over the past six months 23% of the malware they’ve examined that makes network connections now uses TLS to encrypt its traffic.

"cyber attackers are getting smarter...they're encrypting their data in transit"

From Sophos’ blog:

“To see what the current state of the art (of malware) is, we reviewed a representative sampling of malware analyses we’ve made over the past six months. The analyses included details about whether the malware connected to one or more machines on the internet; For simplicity’s sake, we consider that sample to be a “TLS user” for the purposes of this research when the sample communicated over port 443/TCP (the standard port used for TLS-encrypted HTTPS communications) during the analysis.

"A lot of network security systems will miss malware that uses TLS encryption"

Out of all the malware that made some kind of network connection during their infection process, about 23% communicated over HTTPS, either to send or receive data from the C2, or during installation when they may use HTTPS to conceal the fact that they are retrieving malicious payloads or components.”

That’s alarming news. A lot of the network security systems that entities ranging from small businesses to large enterprises use will miss malware that uses TLS encryption.


What about TLSI?

What can organizations do to deal with this new danger? One useful measure could be implementing TLS inspection (TLSI) functionality. I explained how TLSI works here a few months ago:

“Typically, TLSI is conducted with proxy nodes. Forward proxies inspect TLS packets being sent from internal networks to external networks, usually the Internet. Internal proxies can inspect traffic within an internal network, such as a WAN or LAN. A proxy has its own machine identities and it can use them to decrypt TLS packets so that firewalls, intrusion detection systems, and intrusion prevention systems have cleartext they can examine. Proxies can then re-encrypt packets with the use of new certificates as needed in the flow of network traffic. When a TLS session has TLSI at some point, it becomes a ‘TLS chain’ of two independently negotiated TLS connections.”

It can be feasible for enterprise networks to implement TLSI, whether your networks are on premises, in the cloud, or both. In fact, enterprises can scale these efforts and radically increase the efficiency of TLSI by orchestrating the availability of TLS machine identities to inspection systems. But I don’t think it’s feasible for consumer LANs to implement TLSI themselves. Perhaps ISPs could help to provide TLSI to protect their customers from TLS-using malware while they’re accessing the internet from home.

TLS is an absolutely necessary tool to help protect your data from man-in-the-middle attacks, and to help protect your networks from being intercepted by cyber attackers. Unfortunately, TLS can also be a tool for the bad guys. We must be on our toes and keep two steps ahead of them.



Related posts


Like this blog? We think you will love this.
Featured Blog

What is the ACME Protocol and How Does It Work?

How does the ACME protocol work?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more