Security scientists are warning that a new crimson-teaming instrument dubbed “Nighthawk” may well soon be leveraged by danger actors.
Designed in late 2021 by MDSec, the resource is most effective described as an highly developed C2 framework, which features like Cobalt Strike and Brute Ratel as a commercially distributed distant entry trojan (RAT) intended for genuine use.
Having said that, like the latter two instruments, it could shortly be co-opted by people with nefarious intent, Proofpoint warned in a new report.
The seller claimed to have recorded a 161% maximize in the malicious use of Cobalt Strike involving 2019 and 2020, for illustration. Other tools like Sliver and Brute Ratel have found their way into destructive campaigns within months of their release, it mentioned.
“Historically, risk actors have integrated legit applications into their arsenal for different causes, these kinds of as complicating attribution, leveraging unique functions this kind of as endpoint detection evasion capabilities or just owing to relieve of use, flexibility, and availability,” mentioned Proofpoint.
“In the final number of many years, danger actors from cyber-criminals to sophisticated persistent risk actors have increasingly turned to red-teaming instruments to realize their objectives.”
Proofpoint’s investigation unveiled an “extensive list of configurable evasion techniques” referred to as “opsec” capabilities in the product’s code.
They include methods to protect against endpoint detection notifications and evading course of action memory scans.
“Nighthawk implements a strategy that can prevent endpoint detection products from getting notifications for newly loaded DLLs in the recent process context through callbacks that had been registered with LdrRegisterDllNotification,” the report defined. “This system is enabled by the crystal clear-dll-notifications selection.”
Nighthawk also characteristics quite a few varieties of self-encryption that can be configured to evade approach memory scans, like “no-stub-rop,” which works by using “return oriented programming” to implement the encryption logic.
Security sellers really should get observe of the new abilities in get to deliver efficient safety to their clients, Proofpoint concluded.
“While Proofpoint researchers are not aware of adoption of Nighthawk in the wild by attributed menace actors, it would be incorrect and unsafe to assume that this device will by no means be appropriated by menace actors with a selection of intents and purposes,” it additional.
Some parts of this article are sourced from:
www.infosecurity-magazine.com