HTTPS Attacks - Malware Distribution


In Layerman"s terms:

Protagonists
Bob: A visitor to a small shop.
Alice: The shop owner.
Jack: A prankster.

Jack wants to harm Alice's shop and her customers like Bob.

Jack sneaks into Alice's shop and secretly places harmful items (malware) among the regular products.

When Bob enters the shop and buys what looks like a regular product, he unknowingly takes home one of the harmful items. Bob, trusting the shop's reputation, uses the harmful item and suffers as a result.

Alice, unaware of Jack's actions, continues to run her shop, not realizing that her customers are being harmed by the malicious items Jack has distributed.

Scenario: Focus on distributing malicious software to users' devices.

Scenario

  1. Two potential starting points here:
  • The discovery of vulnerabilities: let's say attackers start by identifying security weaknesses on a target website. These vulnerabilities could exist in the server, the application code, or even in the containerized environments like Docker images used by the website. Once identified, we can exploit doors to place some malware and any client would eventually reach or interact with.
  • The creation of a malicious website: let's say attackers sets up a malicious website with the intent of distributing malware. The website looks legitimate and uses HTTPS to encrypt communications between the site and the users. The attacker obtains a valid SSL/TLS certificate, often through a free certificate authority, making the site appear secure and trustworthy.

  1. User interacting with the distribution: through phishing emails, legit or malicious advertisements (malvertising), social engineering tactics, etc.

  2. Malware Distribution: When client's visit the website, they are prompted to click here or there, download file, run upgrades, which is presented as a legitimate action, utility, or document. Because the site uses HTTPS, the connection is encrypted, and users see the padlock icon in their browser, giving them a false sense of security.

  3. Execution of the malware: The piece of software may installs malware on client system to perform a variety of malicious actions, such as stealing sensitive information, passively listening to operations, encrypting files for ransom (ransomware), creating a backdoor for further exploitation, and more.

Strenght

  • Encrypted Malware Delivery: Because the connection is encrypted, network-based security solutions (such as intrusion detection systems) may not detect the malicious file being transmitted, establishing a false sense of security, increasing interactive capabilities.
  • Widespread Infection: The tactic can lead to widespread malware infections, as users are more likely to trust and download from a site that appears secure.

Effect on Privacy, Anonymity, and Hacking Concerns

According to a report by ZScaler (ITPro), there has been a dramatic increase in the use of HTTPS by attackers to distribute malware. In 2021, attacks using HTTPS rose by 300%, with malware (including ransomware) being the most prevalent type of attack. The use of HTTPS allows attackers to cloak their activities, blending in with legitimate encrypted traffic and bypassing network-based security measures. There are many example of successfull exploit, taking multiple forms:

  • The Parrot TDS (Traffic Direction System) malware campaign involves attackers exploiting vulnerabilities in web servers to inject malicious JavaScript code, employing obfuscation techniques like HTTPS (encrypting malicious traffic) to evade detection. This code profiles the victim's browser and, if certain conditions are met, redirects the browser to download a payload script containing various forms of malware. Read more at Unit 42.

  • Attackers have exploited GitHub's search functionality to distribute malware by creating repositories with popular names and topics. These repositories, disguised as legitimate projects related to tools, video games, and cheats, contained malicious code that users unknowingly downloaded. The attackers used automated updates and fraudulent stars to manipulate search rankings, increasing visibility.

  • Attackers are exploiting cloud services like Google Drive and Dropbox to deliver malware through a campaign dubbed CLOUD#REVERSER. They use phishing emails containing ZIP files with executables that appear as legitimate documents due to a Unicode trick. These files, once executed, set up scripts that download further malicious payloads from cloud services, establish persistence, and connect to command-and-control servers. This method allows attackers to bypass traditional security measures and maintain a low profile by using trusted platforms for malicious activities. For more details, visit The Hacker News.

  • In February 2024, attackers directly leveraged vulnerabilities in ConnectWise ScreenConnect servers to distribute malware such as Cobalt Strike Beacon. These vulnerabilities allowed attackers to execute commands on the compromised servers and have the server deliver malicious payloads over HTTPS.


Done!

Thanks and Congratulations for reading this to the end. We hope this article brings a little clarity over HTTPS infection attacks.