top of page
  • Writer's pictureRichard Blech

Malware Hiding in Encrypted Traffic Becomes an Increasing Threat

The sharp increase in the use of encryption has changed the cybersecurity landscape. Organizations are rightfully ramping up their use of encryption to help ensure that their sensitive data remains confidential. However, organizations have to be aware of both the legitimate and illegitimate applications of the technology they use and know that threat actors are using encryption for their own purposes. According to Google, 95 percent of its internet traffic employs the encrypted HTTPS communication protocol. The protocol, particularly the implementations that are still using the deprecated versions of the SSL and TLS (1.0 and 1.1) encryption protocols, has become a popular vehicle for delivering malware.


Encrypted malware is not new, but its occurrence has skyrocketed in the past few years. It is through the use of secure connections that threat actors have been increasingly breaching networks and launching encrypted attacks. According to one research report, 91.5% of malware in the second quarter of this year came through encrypted HTTPS connections.

During the different phases of ransomware and malware attacks, threat actors will leverage encrypted channels to hide their actions. While inside of encrypted traffic, the malware can move without interference throughout an organization’s network system. The encrypted traffic is also used to as an instrument to conceal the exfiltration of data.

Threat actors are using the protection encryption provides to achieve for many different purposes. Mobile devices, a fixture in IoT and IIoT, have become a popular target for malware that leverages the SSL protocol. One research report indicated that data theft, the shifting of financial data from corporate networks and IP theft are the top three goals of the malware that is making use of encrypted connections.

Critical malware communications are also being concealed within encrypted traffic, allowing the malware to conduct its command-and-control activities, such as receiving a command to move to the next phase of an attack. For example, the Trickbot malware uses HTTPS to conceal communications with its command and control servers. It also uses the protocol to download the modules that execute many of the logic functions needed by the malware. In order to exfiltrate data it has collected, it uses the HTTP POST method.


Many organizations use the standard tools like firewalls, anti-malware solutions and intrusion detection systems to probe the traffic trying to enter the network. While these defenses are able to detect malware by relying on scanning, code signatures and other factors, they are essentially blind to the malware that hidden behind the encryption.


What does this means for organizations who want to protect their digital assets? They have to vigilantly monitor and inspect network traffic.

Threat actors rely on the fact that many organizations are less likely to inspect encrypted traffic. Many organizations may fail to do so for multiple reasons, including the negative impact it can have on network performance, a lack of the necessary security tools and a shortage of skills and resources. However, the failure to examine HTTPS traffic means that 90 percent of malware is being overlooked, according to one report. It is almost impossible to safeguard a network against attacks that cannot be seen. And the lack of visibility is an extreme liability an era in which all organizations have to be concerned with ransomware.

Some key indicators of encrypted malware may be unexpected or unusual volumes of HTTPS traffic to little-known domains or the use of forged or counterfeit TLS certificates. The use of TCP/UDP ports should also be monitored; not only can the use of unusual ports be a concern, so can how certain ports are being used for unusual applications.

The decryption of network traffic is another way organizations can gain a fuller picture of the threats in their systems and aligns with the zero trust approach to security. Incoming traffic can be routed to assigned security devices that have been set aside to decrypt the traffic. Once the absence of malware has been confirmed, the traffic can be returned and then re-encrypted to continue its journey. While this solution is not without its detractors (there are multiple privacy and compliance concerns such as those related to the recording of data and deep packet inspection), proponents of decrypting network traffic to detect malware believe that it is necessary.


Despite the manner in which threat actors can utilize some encryption protocols, organizations need encryption technology to protect their data. Data encryption has to be included in every organization’s multilayered cybersecurity framework, along with the right policies, to create a level of security that will protect the integrity of an organization’s IT system and data.

In particular, Encrypted Broadcast Protocol (EBP), secures data transmissions across any type of network (with or without) SSL certificates. Leveraging inline symmetric encryption directly enciphers each packet for unsurpassed data security and would significantly diminish the risks of the malware exploits that hide within foretasted encrypted network traffic.

At XSOC CORP, we understand the ongoing threat of ransomware. Our company provides a family of cybersecurity tools that can be easily integrated into an existing IT system to protect data and function as an essential part of your organization’s cybersecurity infrastructure. Contact us today to get started.

bottom of page