Cybersecurity researchers have uncovered a sophisticated malware campaign, dubbed OneClik, specifically targeting the energy, oil, and gas sectors. This campaign leverages Microsoft's ClickOnce deployment technology and custom-built Golang backdoors to infiltrate systems, employing advanced evasion tactics and cloud service abuse to remain undetected. The attackers utilize phishing emails to initiate the infection chain, leading to the deployment of a potent backdoor.

OneClik: A New Threat to Critical Infrastructure

The OneClik campaign represents a significant threat due to its innovative use of legitimate tools and services for malicious purposes. The attackers initiate their operations through phishing emails, directing victims to fake "hardware analysis" websites. These sites then serve a malicious ClickOnce application, which, once executed, deploys a sophisticated Golang backdoor known as RunnerBeacon.

How OneClik Exploits Microsoft ClickOnce

Microsoft ClickOnce, a legitimate deployment technology for .NET applications, is being abused by the OneClik campaign. ClickOnce allows applications to be installed and updated from remote sources with minimal user interaction. Threat actors exploit this by:

• Proxying Execution: Malicious payloads are executed through the trusted dfsvc.exe (Deployment Service), making the activity appear legitimate.

• User-Level Privileges: ClickOnce applications run with user-level privileges, bypassing the need for privilege escalation and avoiding User Account Control (UAC) prompts.

• AppDomainManager Hijacking: The malware injects malicious code by tampering with .NET configuration settings, causing legitimate .NET executables to load attacker-controlled assemblies.

Advanced Evasion and Anti-Analysis Techniques

The OneClik campaign employs a multi-layered approach to evade detection and analysis, evolving across three observed variants (v1a, BPI-MDM, and v1d):

• Memory Relocation: In v1a, core system modules are manually relocated in memory to bypass detection.

• ETW Disabling: Event Tracing for Windows (ETW) is disabled by patching EtwEventWrite and NtTraceEvent.

• Anti-Debugging Checks: The BPI-MDM variant includes continuous anti-debugging checks using both managed and native methods, exiting if a debugger is detected.

• Sandbox Evasion: The v1d variant performs environment checks, terminating if the host is not domain-joined or Azure AD-joined, or if physical memory is less than 8 GB.

• Self-Deletion: To hinder forensics, v1d deletes its own configuration file after loading.

Cloud Service Abuse for Command and Control

A key characteristic of the OneClik campaign is its abuse of legitimate Amazon Web Services (AWS) for command-and-control (C2) communication. The malware uses services such as CloudFront, API Gateway, and Lambda to disguise its C2 traffic, blending it with normal cloud activity. This tactic makes traditional detection methods, like signature-based tools or SSL decryption, largely ineffective.

The Golang RunnerBeacon Backdoor

The RunnerBeacon backdoor, written in Golang, is a sophisticated implant capable of extensive malicious activities, including:

• File operations

• Process enumeration and termination

• Shell command execution

• Privilege escalation (token theft and impersonation)

• Lateral movement

• Network operations (port scanning, port forwarding, SOCKS5 protocol)

RunnerBeacon shares significant structural and functional similarities with known Go-based Cobalt Strike beacons, suggesting it may be an evolved or modified variant tailored for stealthy, cloud-friendly operations.

Attribution and Overlaps with Other Campaigns

While attribution remains cautious, the techniques used in OneClik, such as AppDomainManager hijacking and in-memory decryption, echo methods seen in Chinese APT operations. Trellix researchers note overlaps in tactics, techniques, and procedures (TTPs) with other campaigns, including those documented by Earth Baxia, AhnLab, and TGSoft. These shared TTPs include:

• .NET AppDomainManager hijacking for early payload insertion.

• Deployment of encrypted payloads using .NET loaders.

• Use of beacon-like backdoors mimicking Cobalt Strike behavior.

• Abuse of trusted cloud infrastructure (AWS, Alibaba Cloud) for staging and C2.

Despite these overlaps, a definitive attribution to a specific threat actor or nation remains unconfirmed. However, understanding these persistent TTPs is crucial for defenders to proactively harden systems and improve detection logic against similar sophisticated threats.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Trellix details OneClik malware campaign targeting energy, oil and gas sectors using ClickOnce, cloud evasion -Industrial Cyber, Industrial Cyber.

• OneClik Malware Targets Energy Sector Using Microsoft ClickOnce and Golang Backdoors, The Hacker News.