December 8, 2022
A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors' attention for its Cobalt Strike-like capabilities. Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 with a number of test emails sent using generic subject lines such as "Just checking in" and "Hope…

A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors’ attention for its Cobalt Strike-like capabilities.

Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 with a number of test emails sent using generic subject lines such as “Just checking in” and “Hope this works2.”

However, there are no indications that a leaked or cracked version of Nighthawk is being weaponized by threat actors in the wild, Proofpoint researcher Alexander Rausch said in a write-up.

Nighthawk, launched in December 2021 by a company called MDSec, is analogous to its counterparts Cobalt Strike, Sliver, and Brute Ratel, offering a red team toolset for adversary threat simulation. It’s licensed for £7,500 (or $10,000) per user for a year.

“Nighthawk is the most advanced and evasive command-and-control framework available on the market,” MDSec notes. “Nighthawk is a highly malleable implant designed to circumvent and evade the modern security controls often seen in mature, highly monitored environments.”

According to the Sunnyvale-based company, the aforementioned email messages contained booby-trapped URLs, which, when clicked, redirected the recipients to an ISO image file containing the Nighthawk loader.

The obfuscated loader comes with the encrypted Nighthawk payload, a C++-based DLL that uses an elaborate set of features to counter detection and fly under the radar.

Of particular note are mechanisms that can prevent endpoint detection solutions from being alerted about newly loaded DLLs in the current process and evade process memory scans by implementing a self-encryption mode.

When reached for comment, MDSec told The Hacker News that it isn’t aware of any instance of Nighthawk being used for illegitimate activity and that the licenses are distributed only to a handful of closely vetted customers.

With rogue actors already leveraging cracked versions of Cobalt Strike and others to further their post-exploitation activities, Nighthawk could likewise witness similar adoption by groups looking to “diversify their methods and add a relatively unknown framework to their arsenal.”

Indeed, the high detection rates associated with Cobalt Strike and Sliver have led Chinese criminal actors to devise alternative offensive frameworks like Manjusaka and Alchimist in recent months.

“Nighthawk is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion, and it does this well,” Rausch said.

“Historic adoption of tools like Brute Ratel by advanced adversaries, including those aligned with state interests and engaging in espionage, provides a template for possible future threat landscape developments.”

Source