Nighthawk Likely to Become Hackers' New Post-Exploitation Tool After Cobalt Strike

2022-11-23 05:40

A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors' attention for its Cobalt Strike-like capabilities.

There are no indications that a leaked or cracked version of Nighthawk is being weaponized by threat actors in the wild, Proofpoint researcher Alexander Rausch said in a write-up.

Nighthawk, launched in December 2021 by a company called MDSec, is analogous to its counterparts Cobalt Strike, Sliver, and Brute Ratel, offering a red team toolset for adversary threat simulation.

According to the Sunnyvale-based company, the aforementioned email messages contained booby-trapped URLs, which, when clicked, redirected the recipients to an ISO image file containing the Nighthawk loader.

The obfuscated loader comes with the encrypted Nighthawk payload, a C++-based DLL that uses an elaborate set of features to counter detection and fly under the radar.

With rogue actors already leveraging cracked versions of Cobalt Strike and others to further their post-exploitation activities, Nighthawk could likewise witness similar adoption by groups looking to "Diversify their methods and add a relatively unknown framework to their arsenal."

News URL

https://thehackernews.com/2022/11/nighthawk-likely-to-become-hackers-new.html

#cobalt #exploitation #hacker