A sophisticated cyber espionage campaign, dubbed OneClik, has been identified targeting the energy, oil, and gas industries. This operation leverages Microsoft’s ClickOnce deployment technology and custom Golang-based backdoors to infiltrate and persist within critical infrastructure systems.
Campaign Overview
The OneClik campaign employs a multi-stage attack strategy:
1. Phishing Initiation: Attackers distribute emails containing links to counterfeit hardware analysis websites. These sites prompt users to download a ClickOnce application, initiating the infection process.
2. ClickOnce Exploitation: ClickOnce, a Microsoft framework designed for easy application deployment, is manipulated to execute malicious code. By exploiting this technology, attackers can run applications without requiring administrative privileges, thereby evading standard security measures.
3. Malware Deployment: The ClickOnce application deploys a .NET-based loader, OneClikNet, which injects encrypted shellcode into memory. This shellcode then loads the RunnerBeacon backdoor, a sophisticated Golang implant.
Technical Details
The RunnerBeacon backdoor is engineered for stealth and versatility:
– Command and Control (C2): It communicates with attacker-controlled servers over multiple protocols, including HTTP(s), WebSockets, raw TCP, and SMB named pipes.
– Capabilities: RunnerBeacon can perform file operations, process enumeration and termination, shell command execution, privilege escalation through token theft and impersonation, and lateral movement within networks.
– Anti-Analysis Features: The malware incorporates techniques to evade detection, such as anti-debugging loops and sandbox detection mechanisms.
Infrastructure and Attribution
The campaign’s infrastructure is notable for its use of legitimate cloud services:
– AWS Integration: Command-and-control servers are hosted on Amazon Web Services (AWS), allowing malicious traffic to blend with legitimate network activity, complicating detection efforts.
While definitive attribution remains cautious, the tactics and techniques observed align with those of known Chinese-affiliated threat actors. This includes the use of .NET AppDomainManager hijacking, AES-encrypted shellcode, and cloud infrastructure staging.
Implications and Recommendations
The OneClik campaign underscores a broader trend of attackers leveraging legitimate tools and cloud services to conduct malicious operations, a tactic known as living off the land. This approach allows threat actors to evade traditional detection mechanisms effectively.
To mitigate such threats, organizations, especially within the energy sector, should:
– Enhance Email Security: Implement advanced phishing detection and user training programs to reduce the risk of initial compromise.
– Monitor Application Deployments: Scrutinize the use of deployment technologies like ClickOnce to detect unauthorized applications.
– Cloud Traffic Analysis: Employ tools capable of analyzing and distinguishing between legitimate and malicious cloud service traffic.
– Regular Security Audits: Conduct frequent assessments to identify and remediate vulnerabilities that could be exploited by such sophisticated campaigns.
By adopting these measures, organizations can bolster their defenses against evolving cyber threats that exploit legitimate technologies for malicious purposes.
