OneClik: A ClickOnce-Based APT Campaign Targeting Energy, Oil, and Gas Infrastructure
Summary:
Researchers at Trellix have uncovered details of a campaign, dubbed OneClik, targeting the energy, oil, and gas sectors through highly sophisticated phishing attacks and abuse of ClickOnce, a Microsoft .NET deployment technology that enables users to install and run Windows applications from a web browser or network share. In this case, actors are abusing ClickOnce to deliver malicious applications via deceptive emails that link to fake websites hosting .application files. Once executed, these ClickOnce apps run under the trusted .dfsvc[.]exe process and employ .NET AppDomainManager hijacking to stealthily load attacker-controlled DLLs.
The campaign leverages a modular attack framework across three variants (v1a, BPI-MDM, and v1d), deploying a .NET-based loader called OneClikNet. This loader infects systems by hijacking the .NET AppDomainManager, a technique that injects a malicious DLL during runtime. It downloads and executes a sophisticated Golang-based backdoor called RunnerBeacon, which communicates with the attacker’s infrastructure through cloud-based services, such as AWS CloudFront and API Gateway. The payloads make use of advanced evasion techniques like in-memory decryption, anti-debugging, and sandbox detection, making detection through traditional methods extremely difficult.
Security Officer Comments:
The malware’s payloads evolve across the variants, with each version introducing more sophisticated evasion techniques. For example, in v1d, the malware checks for specific system configurations, such as domain or Azure AD membership and memory size, before execution. Additionally, RunnerBeacon, the final backdoor deployed, uses a modular command-and-control structure, supporting diverse communication methods like HTTP, WebSockets, and even SMB named pipes. It is capable of performing complex tasks such as file operations, port scanning, process enumeration, and remote code execution.
The campaign's infrastructure is cleverly obfuscated by using legitimate cloud services, making it difficult for defenders to distinguish malicious traffic from benign cloud usage. The campaign’s use of these cloud services, along with its evolving payload delivery techniques, reflects a trend towards more stealthy, long-term persistence efforts by cyber actors targeting critical infrastructure.
Suggested Corrections:
Organizations should harden email gateways against phishing and inspect for .application or other ClickOnce-related attachments and links. It’s also a good idea to block or restrict the use of Microsoft ClickOnce deployments and monitor for unusual behavior from trusted processes like .dfsvc[.]exe.
Link(s):
https://www.trellix.com/blogs/resea...-targeting-energy-oil-and-gas-infrastructure/
Researchers at Trellix have uncovered details of a campaign, dubbed OneClik, targeting the energy, oil, and gas sectors through highly sophisticated phishing attacks and abuse of ClickOnce, a Microsoft .NET deployment technology that enables users to install and run Windows applications from a web browser or network share. In this case, actors are abusing ClickOnce to deliver malicious applications via deceptive emails that link to fake websites hosting .application files. Once executed, these ClickOnce apps run under the trusted .dfsvc[.]exe process and employ .NET AppDomainManager hijacking to stealthily load attacker-controlled DLLs.
The campaign leverages a modular attack framework across three variants (v1a, BPI-MDM, and v1d), deploying a .NET-based loader called OneClikNet. This loader infects systems by hijacking the .NET AppDomainManager, a technique that injects a malicious DLL during runtime. It downloads and executes a sophisticated Golang-based backdoor called RunnerBeacon, which communicates with the attacker’s infrastructure through cloud-based services, such as AWS CloudFront and API Gateway. The payloads make use of advanced evasion techniques like in-memory decryption, anti-debugging, and sandbox detection, making detection through traditional methods extremely difficult.
Security Officer Comments:
The malware’s payloads evolve across the variants, with each version introducing more sophisticated evasion techniques. For example, in v1d, the malware checks for specific system configurations, such as domain or Azure AD membership and memory size, before execution. Additionally, RunnerBeacon, the final backdoor deployed, uses a modular command-and-control structure, supporting diverse communication methods like HTTP, WebSockets, and even SMB named pipes. It is capable of performing complex tasks such as file operations, port scanning, process enumeration, and remote code execution.
The campaign's infrastructure is cleverly obfuscated by using legitimate cloud services, making it difficult for defenders to distinguish malicious traffic from benign cloud usage. The campaign’s use of these cloud services, along with its evolving payload delivery techniques, reflects a trend towards more stealthy, long-term persistence efforts by cyber actors targeting critical infrastructure.
Suggested Corrections:
Organizations should harden email gateways against phishing and inspect for .application or other ClickOnce-related attachments and links. It’s also a good idea to block or restrict the use of Microsoft ClickOnce deployments and monitor for unusual behavior from trusted processes like .dfsvc[.]exe.
Link(s):
https://www.trellix.com/blogs/resea...-targeting-energy-oil-and-gas-infrastructure/