The criminal use of encryption to hide malware is growing rapidly. In the first half of 2019 the use of encryption by malware almost equaled the entire encrypted volume of 2018, and is not likely to slow. Today, nearly a quarter of malware communicates using TLS.
The reason is simple: encryption obfuscates malware code, making it difficult to analyze; prevents users from accessing the component files in the event of an infection; and hides and secures the attackers' malicious network communication. In short, malware encryption makes it harder for traditional defenses to detect and mitigate that malware.
Malware normally collects victim machine data as the first phase of victim reconnaissance. If this data is encrypted before being sent back to the attacker -- especially if the destination is a legitimate service (like Pastebin or GitHub) that also normally communicates with encryption -- it is less likely to be detected as any form of communication from internal malware to external attacker.
The success of hiding malware communications within encryption may partly explain the growth of malware taking new instructions from its C2 server over having the entire functionality coded within the malware. This in turn makes the initial malware infection smaller and less likely to be detected. "Without the protective layer of TLS encryption obfuscating the contents of this communication,"
writes SophosLabs threat researcher Luca Nagy, "a sharp-eyed analyst or data loss prevention tool might easily catch this type of theft in the act, before any harm may come as a result."