"Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk"
Security researchers at Proofpoint warn that a new red-teaming tool dubbed “Nighthawk” may soon be leveraged by threat actors. Created in late 2021 by MDSec, the tool is best described as an advanced C2 framework, which functions like Cobalt Strike and Brute Ratel as a commercially distributed remote access trojan (RAT) designed for legitimate use. The researchers noted that, like the latter two tools, it could soon be co-opted by those with nefarious intent. For example, the researchers claim to have recorded a 161% increase in the malicious use of Cobalt Strike between 2019 and 2020. The researchers stated that other tools like Sliver and Brute Ratel found their way into malicious campaigns within months of their release. The researchers noted that historically, threat actors have integrated legitimate tools into their arsenal for various reasons, such as complicating attribution, leveraging specific features such as endpoint detection evasion capabilities, or simply due to ease of use, flexibility, and availability. The researchers stated that Nighthawk implements a technique that can prevent endpoint detection products from receiving notifications for newly loaded DLLs in the current process context via callbacks that were registered with LdrRegisterDllNotificatiom. This technique is enabled by the clear-dll-notifications option. The researchers stated that Nighthawk also features several types of self-encryption that can be configured to evade process memory scans, including “no-stub-rop,” which uses “return oriented programming” to implement the encryption logic. The researchers noted that security vendors should take note of the new capabilities in order to deliver effective protection to their customers. The researchers are unaware of the adoption of Nighthawk in the wild by attributed threat actors, but it would be incorrect and dangerous to assume that this tool will never be appropriated by threat actors with a variety of intents and purposes.
Infosecurity reports: "Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk"