Security researchers are warning that a new red-teaming tool dubbed “Nighthawk” may soon be leveraged by threat actors.
Created in late 2021 by MDSec, the tool is best described as an advanced C2 framework, which functions like Cobalt Strike and Brute Ratel as a commercially distributed remote access trojan (RAT) designed for legitimate use.
However, like the latter two tools, it could soon be co-opted by those with nefarious intent, Proofpoint warned in a new report.
The vendor claimed to have recorded a 161% increase in the malicious use of Cobalt Strike between 2019 and 2020, for example. Other tools like Sliver and Brute Ratel have found their way into malicious campaigns within months of their release, it said.
“Historically, threat actors have integrated legitimate tools into their arsenal for various reasons, such as complicating attribution, leveraging specific features such as endpoint detection evasion capabilities or simply due to ease of use, flexibility, and availability,” said Proofpoint.
“In the last few years, threat actors from cyber-criminals to advanced persistent threat actors have increasingly turned to red-teaming tools to achieve their goals.”
Proofpoint’s analysis revealed an “extensive list of configurable evasion techniques” referred to as “opsec” functions in the product’s code.
They include ways to prevent endpoint detection notifications and evading process memory scans.
“Nighthawk implements a technique that can prevent endpoint detection products from receiving notifications for newly loaded DLLs in the current process context via callbacks that were registered with LdrRegisterDllNotification,” the report explained. “This technique is enabled by the clear-dll-notifications option.”
Nighthawk also features several types of self-encryption that can be configured to evade process memory scans, including “no-stub-rop,” which uses “return oriented programming” to implement the encryption logic.
Security vendors should take note of the new capabilities in order to deliver effective protection to their customers, Proofpoint concluded.
“While Proofpoint researchers are not aware of adoption of Nighthawk in the wild by attributed threat actors, it would be incorrect and dangerous to assume that this tool will never be appropriated by threat actors with a variety of intents and purposes,” it added.