Researchers have uncovered a sophisticated cyber campaign called OneClik that exploits Microsoft ClickOnce technology and cloud services to infiltrate energy sector organizations. The attack employs custom backdoors, cloud-based command and control, and advanced evasion techniques, with suspected links to Chinese threat actors. #OneClik #RunnerBeacon
Keypoints
- The OneClik campaign uses Microsoft ClickOnce deployment to deliver malicious payloads covertly.
- Attackers leverage legitimate AWS services like Cloudfront, API Gateway, and Lambda to hide C2 communication.
- The Golang-based RunnerBeacon backdoor employs RC4 encryption and MessagePack serialization for stealthy operations.
- Multiple techniques, including AppDomainManager injection and cloud traffic blending, help evade detection.
- While indicators suggest Chinese-linked threat activity, definitive attribution remains cautious.