Threat Management

SSL encrypted malware doubles this year, phishing over SSL/TLS up 400%

Increasingly sophisticated malware strains are using SSL to encrypt their activity with malicious SSL encrypted content more than doubling in the last six months according to a study from Zscaler ThreatLabZ reported in an infographic.

On average 60 percent of the transactions in the Zscaler cloud, which it says is the largest security cloud, have been delivered over SSL/TLS, with an average of 8.4 million SSL/TLS-based security blocks per day this year.

In an email statement to SC, Deepen Desai, senior director, security research and operations at Zscaler commented: “Hackers are increasingly using SSL to conceal device infections, shroud data exfiltration and hide botnet command and control communications. In fact, our study found that the amount of phishing attempts per day delivered over SSL/TLS has increased 400 percent from 2016.”  Phishing attempts delivered over SSL TLS reached 12,000 per day; leading Desai to conclude, “SSL inspection is a necessity in ensuring the security of network traffic in the enterprise.”

However, despite using hardware to detect and block these attacks, SSL inspection is not always enabled due to excess costs or latency issues.

ThreatLabZ researchers also identified new malicious payload distributions based on unique payloads hitting the Zscaler Cloud Sandbox, leveraging SSL/TLS for command and control (C&C) activity. Banking Trojans comprised 60 percent of the payloads, including families such as Dridex, Zbot, Vawtrak and Trickbot, while 25 percent were comprised of multiple ransomware families. Less popular payloads included Infostealer Trojan families and other miscellaneous families.

Additional findings include:

  • New, increasingly sophisticated malware strains use SSL to encrypt their C&C mechanisms.
  • Zscaler saw an average of 300 hits per day for web exploits that included SSL as part of the infection chain.
  • The most prevalent malware family leveraging SSL-based callbacks was Dridex/Emotet, which contributed 34 percent of the total unique, new payloads in 2017.
  • New malicious payloads leveraging SSL/TLS for C&C activity:
    • 60 percent were comprised of multiple Banking Trojan families (Zbot, Vawtrak, Trickbot, etc.)
    • 25 percent were comprised of ransomware families
    • 12 percent were comprised of Infostealer Trojan families (Fareit, Papras, etc.)
    • Three percent were from other miscellaneous families.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.