Ethical Hacking News
Hackers have been using Microsoft's ClickOnce software deployment tool and custom Golang backdoors to compromise organizations in the energy, oil, and gas sectors. A recent report by cybersecurity company Trellix found that the malicious campaign, known as OneClik, has been leveraging legitimate AWS cloud services to keep its command and control infrastructure hidden. The attack starts with a phishing email and uses ClickOnce apps as a delivery mechanism for malicious payloads without triggering user account control. The hackers also use AWS Cloudfront and API Gateway to mix their command and control communication with harmless CDN traffic.
The OneClik campaign uses a sophisticated Golang backdoor called RunnerBeacon, which has been identified in multiple cyberattacks attributed to Chinese threat actors. Trellix highlights that the .NET AppDomainManager injection technique used by the OneClik attackers is similar to tactics used in other campaigns attributed to Chinese threat actors.
The report from Trellix includes a comprehensive list of indicators of compromise for all components in the OneClik campaign, ranging from phishing lures and malware loaders to configuration files, backdoor binaries, legitimate executables, domains, and configuration parameters. The cybersecurity company warns that the OneClik attacks are stealthy and difficult to detect, making it essential for organizations to stay vigilant.
Hackers are using Microsoft's ClickOnce software deployment tool and custom Golang backdoors to compromise organizations in the energy, oil, and gas sectors. The malicious campaign, known as OneClik, leverages legitimate AWS cloud services such as AWS, Cloudfront, API Gateway, and Lambda to hide its command and control (C2) infrastructure. OneClik attacks combine custom malware with legitimate tools and cloud and enterprise tooling, allowing the threat actor to evade detection. The attack starts with a phishing email with a link to a fake hardware analysis site hosted in the Azure ecosystem that delivers a .APPLICATION file disguised as a legitimate tool. ClickOnce applications offer an appealing delivery mechanism for threat actors aiming to avoid privilege escalation, as they run with user-level privileges. The OneClik campaign uses legitimate AWS services such as Cloudfront and API Gateway to mix command and control communication with harmless CDN traffic. This makes it difficult for defenders to notice the malicious activity, requiring them to decrypt SSL or denylist entire AWS domains, which is often impractical. The Golang-based RunnerBeacon backdoor features a modular message protocol with multiple message types and allows high-level commands such as process injection and privilege escalation. RunnerBeacon's design is similar to known Go-based Cobalt Strike beacons, suggesting it may be an evolved fork or privately modified variant of Geacon. The OneClik campaign shares similarities with other China-affiliated campaigns in terms of tactics, techniques, and procedures.
Hackers have been using Microsoft’s ClickOnce software deployment tool and custom Golang backdoors to compromise organizations in the energy, oil, and gas sectors. According to a recent report by cybersecurity company Trellix, the malicious campaign, known as OneClik, has been leveraging legitimate AWS cloud services such as AWS, Cloudfront, API Gateway, and Lambda to keep the command and control (C2) infrastructure hidden.
ClickOnce is a deployment technology from Microsoft that allows developers to create self-updating Windows-based applications, reducing user interaction to a minimum. Security researchers at Trellix analyzed three variants of the campaign, all of which deployed a sophisticated Golang backdoor called RunnerBeacon via a .NET-based loader tracked as OneClikNet.
The OneClik attacks combine legitimate tools with custom malware and cloud and enterprise tooling, allowing the threat actor to evade detection of the operation. The attack starts with a phishing email with a link to a fake hardware analysis site hosted in the Azure ecosystem that delivers a .APPLICATION file (ClickOnce manifest) disguised as a legitimate tool.
The attacker used ClickOnce apps as a delivery mechanism for malicious payloads without triggering the user account control mechanism. Because ClickOnce applications run with user-level privileges, they offer an appealing delivery mechanism for threat actors aiming to avoid privilege escalation.
In addition to using Microsoft's ClickOnce deployment tool, hackers are also leveraging AWS cloud services to keep their C2 infrastructure hidden. The OneClik campaign uses legitimate AWS services such as Cloudfront and API Gateway to mix the command and control communication with harmless CDN traffic.
This makes it difficult for defenders to notice the malicious activity, as they must decrypt SSL or denylist entire AWS domains, which is often impractical. Trellix researchers highlight that by "hiding in the cloud," attackers exploit the high trust and availability of AWS services.
An analysis of the Golang-based RunnerBeacon backdoor showed that its C2 protocol encrypted all traffic using the RC4 stream cipher algorithm and serialized data using MessagePack. The backdoor features a modular message protocol with multiple message types, including BeaconData, FileRequest, CommandRequest, SOCKSRequest, and FileUpload.
The researchers also observed high-level commands that allow the threat actor to execute shell commands, enumerate processes, run file operations, carry out network-related tasks, establish a SOCKS5 tunnel to proxy data traffic, and perform advanced operations such as process injection and setting the stage for privilege escalation.
Trellix says that RunnerBeacon's design is similar to known Go-based Cobalt Strike beacons like those in the Geacon family. Due to the similarities in the set of commands and the use of cross-protocol C2, they say that "RunnerBeacon may be an evolved fork or privately modified variant of Geacon, tailored for stealthier, and cloud-friendly operations."
Although the OneClik campaign was discovered recently, at the beginning of March, a variant of the RunnerBeacon loader was identified in September 2023 at a company in the Middle East in the oil and gas sector. The delivery method could not be determined but the variant's code is almost identical to the analyzed module from the OneClik operation.
The clues pointing to activity related to a China-affiliated state actor include tactics, techniques, and procedures seen in other campaigns attributed to Chinese threat actors. Trellix highlights that the .NET AppDomainManager injection technique has been used in multiple cyberattacks attributed to Chinese threat actors.
Additionally, previous China-linked campaigns show a preference for cloud-based staging using services from Alibaba and Amazon. However, these overlaps are not enough to attribute the OneClik attacks to a specific threat actor. The report from Trellix includes a comprehensive list of indicators of compromise for all components in the OneClik campaign, ranging from phishing lures and malware loaders to configuration files, backdoor binaries, legitimate executables, domains, and configuration parameters.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Leverage-Microsoft-ClickOnce-and-AWS-Services-for-Stealthy-Attacks-on-Energy-Oil-and-Gas-Sectors-ehn.shtml
https://www.bleepingcomputer.com/news/security/oneclik-attacks-use-microsoft-clickonce-and-aws-to-target-energy-sector/
Published: Wed Jun 25 16:35:36 2025 by llama3.2 3B Q4_K_M
