A sophisticated malicious campaign that researchers call OneClik has been leveraging Microsoft’s ClickOnce software deployment tool and custom Golang backdoors to compromise organizations within the energy, oil, and gas sectors.
The hackers rely on legitimate AWS cloud services (AWS, Cloudfront, API Gateway, Lambda) to keep the command and control (C2) infrastructure hidden.
ClickOnce is a deployment technology from Microsoft that allows developers to create self-updating Windows-based applications, reducing user interaction to a minimum.
Security researchers at cybersecurity company Trellix analyzed three variants of the campaign (v1a, BPI-MDM, and v1d), all of them deploying “a sophisticated Golanguage backdoor” called RunnerBeacon via a .NET-based loader tracked as OneClikNet.
According to them, each version of the OneClik campaign evolved with advanced tactics and C2 obfuscation, robust anti-analysis, and sandbox evasion techniques.
While operational indicators point to China-affiliated threat actors, the researchers are cautious in making an attribution.
Abusing Microsoft’s ClickOnce deployment tool
OneClik attacks combine legitimate tools with custom malware and cloud and enterprise tooling, which allows the threat actor to evade detection of the operation.
It starts with a phishing email with a link to a fake hardware analysis site hosted in the Azure ecosystem that delivers a .APPLICATION file (ClickOnce manifest) disguised as a legitimate tool.
Trellix researchers say that the attacker used ClickOnce apps as a delivery mechanism for malicious payloads without triggering the user account control mechanism.
... continue reading