Jump to content
  • Nighthawk Likely to Become Hackers' New Post-Exploitation Tool After Cobalt Strike

    alf9872000

    • 450 views
    • 3 minutes
     Share


    • 450 views
    • 3 minutes

     

    A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors' attention for its Cobalt Strike-like capabilities.

     

    Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 with a number of test emails sent using generic subject lines such as "Just checking in" and "Hope this works2."

     

    However, there are no indications that a leaked or cracked version of Nighthawk is being weaponized by threat actors in the wild, Proofpoint researcher Alexander Rausch said in a write-up.

     

    Nighthawk, launched in December 2021 by a company called MDSec, is analogous to its counterparts Cobalt StrikeSliver, and Brute Ratel, offering a red team toolset for adversary threat simulation. It's licensed for £7,500 (or $10,000) per user for a year.

     

    "Nighthawk is the most advanced and evasive command-and-control framework available on the market," MDSec notes. "Nighthawk is a highly malleable implant designed to circumvent and evade the modern security controls often seen in mature,

    highly monitored environments."

     

    According to the Sunnyvale-based company, the aforementioned email messages contained booby-trapped URLs, which, when clicked, redirected the recipients to an ISO image file containing the Nighthawk loader.

     

    The obfuscated loader comes with the encrypted Nighthawk payload, a C++-based DLL that uses an elaborate set of features to counter detection and fly under the radar.

     

    Of particular note are mechanisms that can prevent endpoint detection solutions from being alerted about newly loaded DLLs in the current process and evade process memory scans by implementing a self-encryption mode.

     

    When reached for comment, MDSec told The Hacker News that it isn't aware of any instance of Nighthawk being used for illegitimate activity and that the licenses are distributed only to a handful of closely vetted customers.

     

    With rogue actors already leveraging cracked versions of Cobalt Strike and others to further their post-exploitation activities, Nighthawk could likewise witness similar adoption by groups looking to "diversify their methods and add a relatively unknown framework to their arsenal."

     

    Indeed, the high detection rates associated with Cobalt Strike and Sliver have led Chinese criminal actors to devise alternative offensive frameworks like Manjusaka and Alchimist in recent months.

     

    "Nighthawk is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion, and it does this well," Rausch said.

     

    "Historic adoption of tools like Brute Ratel by advanced adversaries, including those aligned with state interests and engaging in espionage, provides a template for possible future threat landscape developments."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...