Ethical Hacking News
OneClik APT campaign targets energy sector with stealthy backdoors, using sophisticated malware crafted in Golang that leverages Microsoft's ClickOnce deployment technology. Attribution remains cautious due to the lack of concrete proof linking this campaign directly to specific threat actors or nations.
Apt42, a new sophisticated threat actor, has been identified targeting energy sectors using stealthy malware campaigns. The malware campaign uses OneClik, a highly advanced piece of code crafted in Golang, to infiltrate systems via phishing emails and trusted Windows processes. OneClik's deployment mechanism involves cloud services like AWS, making detection extremely difficult for defenders. The campaign exhibits sophisticated command and control (C2) capabilities using the advanced Golang backdoor RunnerBeacon. The attribution of OneClik to a specific threat actor or nation remains cautious due to lack of concrete evidence.
The cybersecurity landscape has recently witnessed a new and sophisticated threat actor, identified as APT42, targeting energy sectors using stealthy malware campaigns. At the center of this campaign lies OneClik, a highly advanced piece of code crafted in Golang that leverages Microsoft's ClickOnce deployment technology to infiltrate systems. Trellix cybersecurity researchers have unearthed evidence suggesting that OneClik is likely carried out by a China-linked actor, but attribution remains cautious due to the lack of concrete proof.
OneClik's deployment mechanism involves sending phishing emails with links to fake "hardware analysis" tools, which, when clicked, silently install malware using trusted Windows processes. This tactic allows the malware to blend in seamlessly with legitimate system activity, making it extremely challenging for security software to detect without advanced decryption or behavioral analysis capabilities. The OneClik campaign has evolved over time, incorporating various evasion techniques such as anti-debugging and sandbox detection.
The campaign's use of cloud services to hide its communication channels is another notable aspect. Threat actors utilize AWS services like CloudFront, API Gateway, and Lambda to send malicious traffic, which is nearly indistinguishable from legitimate CDN usage. This "hide in the cloud" tactic makes detection extremely difficult for defenders, as it requires decrypting SSL or blocking large swaths of AWS traffic, a task rarely feasible.
The OneClik malware campaign has been detected in various energy sectors, with some campaigns sharing 99% of their code with an existing piece of malware called OneClik. This similarity suggests that the campaign may be part of a larger operation aimed at the energy sector. The use of .NET AppDomainManager injection as the initial entry point for OneClik's payloads further highlights its stealthy nature.
In addition to evading detection, the OneClik campaign also exhibits sophisticated command and control (C2) capabilities. RunnerBeacon, the advanced Golang backdoor used by OneClik, can execute commands, manage files, escalate privileges, and move laterally through infected systems. It supports port scanning, forwarding, and SOCKS5 proxying, as well as includes anti-analysis features to prevent detection.
The campaign's design bears similarities with Geacon, a Go variant of Cobalt Strike, suggesting that OneClik might be a stealthier, cloud-optimized fork or private version of this existing threat actor. The incorporation of techniques often linked to Chinese APTs further reinforces the suspicion that OneClik is connected to China-affiliated actors.
Trellix researchers emphasize a cautious attribution stance due to the lack of concrete evidence linking OneClik directly to specific threat actors or nations. In the absence of definitive proof, defenders should focus on recognizing these persistent techniques and TTPs, while also employing advanced security measures to mitigate the risks associated with this sophisticated malware campaign.
In conclusion, APT42's stealthy energy sector campaign using OneClik represents a significant challenge for cybersecurity professionals worldwide. The campaign's sophisticated tactics, including evasion techniques and C2 capabilities, underscore the ongoing evolution of threat actors and their methods. As defenders strive to detect and mitigate these threats, it is essential to remain vigilant and adapt security measures accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/APT42s-Stealthy-Energy-Sector-Campaign-Unpacking-OneCliks-Sophisticated-Malware-ehn.shtml
https://securityaffairs.com/179388/hacking/oneclik-apt-campaign-targets-energy-sector-with-stealthy-backdoors.html
Published: Fri Jun 27 08:21:49 2025 by llama3.2 3B Q4_K_M
