Hackers Exploit Microsoft ClickOnce & AWS for Stealth Attacks
▼ Summary
– The OneClik campaign targets energy, oil, and gas sectors using Microsoft’s ClickOnce tool and custom Golang backdoors to deploy malware.
– Attackers abuse AWS cloud services (Cloudfront, API Gateway, Lambda) to hide command-and-control infrastructure within normal cloud traffic.
– The campaign employs advanced evasion techniques, including .NET AppDomainManager injection and sandbox evasion, to avoid detection.
– A Golang-based backdoor called RunnerBeacon enables shell commands, file operations, and SOCKS5 tunneling, resembling modified Geacon variants.
– While tactics suggest links to Chinese threat actors, researchers refrain from definitive attribution due to insufficient evidence.
A stealthy cyberattack campaign dubbed OneClik is exploiting Microsoft’s ClickOnce technology alongside custom-built Golang malware to infiltrate energy sector organizations while masking its activities within legitimate AWS cloud traffic. Security analysts have uncovered this sophisticated operation that blends trusted software tools with malicious payloads to bypass traditional security measures.
The attackers initiate their campaign through carefully crafted phishing emails containing links to fraudulent websites hosted on Microsoft Azure. These sites distribute malicious ClickOnce application files disguised as legitimate hardware analysis tools. Microsoft ClickOnce, designed for seamless software updates, provides the perfect delivery mechanism since it operates without triggering user account control prompts, allowing malware to execute under the radar.
Trellix security researchers identified three distinct variants of this campaign, all deploying a powerful Golang backdoor named RunnerBeacon through a .NET loader called OneClikNet. Each iteration shows increasing sophistication, incorporating advanced command-and-control obfuscation, anti-analysis techniques, and sandbox evasion capabilities.
The infection process begins when the ClickOnce loader manipulates .NET’s assembly loading mechanism through AppDomainManager injection. This allows the attackers to hijack legitimate executables like ZSATray.exe or umt.exe to load malicious components instead of their normal dependencies. By running through the trusted Deployment Service (dfsvc.exe), the malware blends seamlessly with normal ClickOnce operations.
What makes this campaign particularly dangerous is its abuse of AWS services including CloudFront, API Gateway, and Lambda functions to conceal command-and-control communications. The malware’s traffic appears identical to normal cloud service usage, making detection exceptionally challenging without deep packet inspection or impractical domain blocking measures.
The RunnerBeacon backdoor shows advanced features, including encrypted communications secured with the RC4 cipher and MessagePack serialization. Its operational footprint points to possible ties with Chinese state-backed groups, echoing techniques and cloud abuse seen in earlier incidents.
Still, researchers caution that clear attribution remains challenging. By blending legitimate software with custom malware, the campaign raises the bar for stealth, posing a serious risk to critical infrastructure. Trellix’s detailed technical breakdown includes indicators of compromise that security teams should watch closely to spot signs of infection.
(Source: BLEEPING COMPUTER)
