A new cyberattack campaign named OneClik has been discovered, and it is mainly targeting companies in the energy, oil, and gas industries. This attack is very sneaky and smart because it uses trusted tools like Microsoft ClickOnce and cloud services from Amazon to avoid being noticed. Security researchers from Trellix have been tracking this threat and have shared full details about how it works.

The attack usually begins with a phishing email. The victim gets a message that includes a link to what looks like a hardware diagnostic website. This website is hosted on Microsoft Azure, which makes it look trustworthy. When the user clicks on the link, a file is downloaded automatically. That file uses Microsoft’s ClickOnce technology, which is normally used to install safe applications on Windows.

Because the ClickOnce file runs using a trusted Microsoft process called dfsvc.exe, it doesn’t trigger any warnings or ask for permission. That makes it easy for the malware to start running without the user realizing anything unusual is happening. Once the file runs, it loads another program called OneClikNet, which is written in .NET. This program hijacks the normal way .NET apps load and instead runs a harmful file while pretending to be a normal application.

This harmful file is actually a custom backdoor called RunnerBeacon. It’s written in the Go programming language and connects the infected device to a command-and-control server that the hackers control. What’s interesting is that the server is hosted on Amazon’s cloud platforms like CloudFront, API Gateway, and Lambda. Because these are common and trusted cloud services, the malware’s network traffic doesn’t raise alarms.

RunnerBeacon allows the attackers to do many things on the infected computer. They can run commands, look at which programs are running, upload or download files, scan the network, and even set up a tunnel to send stolen data secretly. All the communication between the malware and the hacker’s server is encrypted using MessagePack and RC4, which makes it harder to detect.

Researchers have discovered three different versions of this malware: v1a, BPI-MDM, and v1d. The v1a version hides itself by turning off Windows logging and hiding the console window. The BPI-MDM version adds a check to see if the program is being monitored or debugged and will shut down if it detects that. The latest version, v1d, can check if it’s running in a virtual machine or sandbox, and it deletes its own configuration data after running to make it harder to trace.

Even though the researchers haven’t been able to confirm who is behind this campaign, some of the techniques used are similar to those seen in attacks linked to Chinese state-sponsored groups. There are signs that this campaign has been active since at least September 2023, especially in the Middle East, which shows it could be part of a long-term spying operation.

This attack is serious because it uses trusted software and services in a way that makes it very hard to detect. Microsoft ClickOnce is normally used for simple app installs, and AWS cloud services are widely used by businesses, so traffic from these tools usually doesn’t seem suspicious. That gives the hackers a big advantage.

To defend against attacks like OneClik, experts recommend disabling ClickOnce if it isn’t needed, watching for strange network traffic going to cloud services, and using advanced security tools that can spot unusual behavior in apps. Basic antivirus software may not be enough because this malware hides itself so well.

OneClik is a reminder that cyberattacks don’t always use flashy methods. Instead, they often rely on blending in and hiding behind trusted tools. That’s why staying alert and using strong security practices is more important than ever.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news