Malware has increasingly been making use of encryption to help hide their network traffic in recent years. This makes sense especially when one realizes that ordinary network traffic is increasingly encrypted as well. Google’s own Transparency Report notes that HTTPS traffic now makes up the vast majority of network traffic passed via the Google Chrome browser.
In the past six years we’ve seen both commodity and targeted attack malware make heavy use of encryption. This is done to evade detection as well as to blend in with normal encrypted traffic. Aside from malware, intrusion frameworks like Cobalt Strike, Metasploit, and Core Impact are making use of it as well. In many cases, this use of certificates extends to the use of X.509 certificates, which are normally used by SSL/TLS.
Source: Trend Micro