A nascent and bonafide penetration testing framework often known as Nighthawk is prone to acquire risk actors’ consideration for its Cobalt Strike-like capabilities.
Enterprise safety agency Proofpoint stated it detected using the software program in mid-September 2022 with numerous check emails despatched utilizing generic topic traces comparable to “Simply checking in” and “Hope this works2.”
Nevertheless, there aren’t any indications {that a} leaked or cracked model of Nighthawk is being weaponized by risk actors within the wild, Proofpoint researcher Alexander Rausch stated in a write-up.
Nighthawk, launched in December 2021 by an organization known as MDSec, is analogous to its counterparts Cobalt Strike, Sliver, and Brute Ratel, providing a purple workforce toolset for adversary risk simulation. It is licensed for £7,500 (or $10,000) per person for a 12 months.
“Nighthawk is probably the most superior and evasive command-and-control framework obtainable in the marketplace,” MDSec notes. “Nighthawk is a extremely malleable implant designed to avoid and evade the fashionable safety controls typically seen in mature, extremely monitored environments.”
Based on the Sunnyvale-based firm, the aforementioned e mail messages contained booby-trapped URLs, which, when clicked, redirected the recipients to an ISO picture file containing the Nighthawk loader.
The obfuscated loader comes with the encrypted Nighthawk payload, a C++-based DLL that makes use of an elaborate set of options to counter detection and fly beneath the radar.
Of explicit observe are mechanisms that may forestall endpoint detection options from being alerted about newly loaded DLLs within the present course of and evade course of reminiscence scans by implementing a self-encryption mode.
With rogue actors already leveraging cracked variations of Cobalt Strike and others to additional their post-exploitation actions, Nighthawk might likewise witness comparable adoption by teams trying to “diversify their strategies and add a comparatively unknown framework to their arsenal.”
Certainly, the excessive detection charges related to Cobalt Strike and Sliver have led Chinese language legal actors to plan various offensive frameworks like Manjusaka and Alchimist in latest months.
“Nighthawk is a mature and superior business C2 framework for lawful purple workforce operations that’s particularly constructed for detection evasion, and it does this properly,” Rausch stated.
“Historic adoption of instruments like Brute Ratel by superior adversaries, together with these aligned with state pursuits and fascinating in espionage, supplies a template for doable future risk panorama developments.”
