Security scientists are warning that a new crimson-teaming software dubbed “Nighthawk” may perhaps shortly be leveraged by menace actors.
Produced in late 2021 by MDSec, the tool is ideal explained as an sophisticated C2 framework, which capabilities like Cobalt Strike and Brute Ratel as a commercially dispersed distant accessibility trojan (RAT) intended for reputable use.
Nevertheless, like the latter two instruments, it could before long be co-opted by all those with nefarious intent, Proofpoint warned in a new report.
The vendor claimed to have recorded a 161% boost in the destructive use of Cobalt Strike among 2019 and 2020, for example. Other tools like Sliver and Brute Ratel have located their way into malicious strategies inside of months of their launch, it mentioned.
“Historically, risk actors have integrated legitimate instruments into their arsenal for numerous explanations, this sort of as complicating attribution, leveraging certain features these kinds of as endpoint detection evasion capabilities or just owing to ease of use, overall flexibility, and availability,” said Proofpoint.
“In the last couple yrs, risk actors from cyber-criminals to superior persistent menace actors have significantly turned to purple-teaming resources to accomplish their targets.”
Proofpoint’s assessment revealed an “extensive checklist of configurable evasion techniques” referred to as “opsec” functions in the product’s code.
They consist of approaches to prevent endpoint detection notifications and evading method memory scans.
“Nighthawk implements a approach that can avert endpoint detection solutions from getting notifications for recently loaded DLLs in the present process context by means of callbacks that had been registered with LdrRegisterDllNotification,” the report spelled out. “This technique is enabled by the distinct-dll-notifications selection.”
Nighthawk also functions various kinds of self-encryption that can be configured to evade process memory scans, including “no-stub-rop,” which utilizes “return oriented programming” to apply the encryption logic.
Security sellers must choose take note of the new capabilities in buy to provide effective security to their prospects, Proofpoint concluded.
“While Proofpoint scientists are not mindful of adoption of Nighthawk in the wild by attributed menace actors, it would be incorrect and dangerous to presume that this software will never ever be appropriated by menace actors with a wide range of intents and needs,” it included.
Some pieces of this write-up are sourced from: