New Cyber Threat: OneClik Campaign Exploiting ClickOnce Technology
In recent cybersecurity discussions, the OneClik campaign has emerged as a significant threat, especially targeting organizations in the energy, oil, and gas sectors. This campaign makes use of Microsoft’s ClickOnce deployment technology, paired with custom-built Golang backdoors, to launch attacks. Cybersecurity experts from Trellix, Nico Paulo Yturriaga and Pham Duy Phuc, provide insights into these tactics, suggesting links to Chinese-affiliated threat actors, though they caution that attribution remains tentative.
The Mechanics of OneClik
Phishing Tactics and Initial Compromise
At the heart of the OneClik campaign lies a sophisticated approach to phishing. Attackers employ a .NET-based loader named OneClikNet to execute a Go-based backdoor referred to as RunnerBeacon. This backdoor communicates with infrastructure carefully obscured through Amazon Web Services (AWS), making detection challenging. The campaign often starts with phishing emails that direct victims to counterfeit hardware analysis websites. These sites then serve ClickOnce applications that execute malicious code via a trusted Windows binary known as "dfsvc.exe."
Exploiting ClickOnce Technology
Introduced with .NET Framework 2.0, ClickOnce facilitates the installation and updating of Windows applications with minimal user interaction. While this feature can simplify software deployment for legitimate users, it also presents an attractive avenue for cybercriminals aiming to execute malicious payloads without raising suspicions. As highlighted by the MITRE ATT&CK framework, ClickOnce applications can run code without needing elevated permissions, allowing adversaries to sidestep traditional security measures.
Execution of the Attack
Malicious Payload Delivery
Once a victim clicks on the provided link, the ClickOnce application initiates and executes an encrypted shellcode in memory, enabling the deployment of the RunnerBeacon backdoor. This backdoor is versatile, capable of communicating with a command-and-control (C2) server over various protocols, including HTTP(s), WebSockets, and even SMB named pipes. The attacker can then perform a range of operations, from file handling to process management and privilege escalation.
Inherent Evasion Techniques
The RunnerBeacon backdoor is built with anti-analysis features to thwart detection measures. It’s also equipped with network operations that allow for sophisticated actions like port scanning and routing through the SOCKS5 protocol. Trellix researchers note that the architecture of RunnerBeacon bears similarities to known Go-based Cobalt Strike beacons, indicating that it may represent a modified version of existing tools used by cybercriminals.
Evolving Tactics and Variants
Recent observations show multiple iterations of OneClik, including variants like v1a, BPI-MDM, and v1d. Each version exhibits enhanced capabilities designed to remain undetected. Notably, a variant of RunnerBeacon was identified within an organization in the Middle East’s oil and gas sector in September 2023. While techniques such as AppDomainManager injection have previously been associated with Chinese and North Korean threat actors, there is no formal attribution to any specific group regarding these attacks.
Related Threat Campaigns
Adding to the concern surrounding the OneClik campaign, the Chinese cybersecurity firm QiAnXin has reported on another threat actor, designated as APT-Q-14, employing ClickOnce applications to disseminate malware via an exploited cross-site scripting (XSS) vulnerability in a specific email platform. This method has been noted to trigger automatically when a victim interacts with a phishing email, leading to the download of the malicious ClickOnce app.
Broader Cybersecurity Landscape
APT-Q-14, believed to have connections to Northeast Asia, shares affiliations with other clusters including APT-Q-12 and APT-Q-15, both of which are considered part of the DarkHotel group. Recent insights reveal that other methodologies, such as the "Bring Your Own Vulnerable Driver" (BYOVD) technique, have been employed to subvert antivirus protections and deploy malware.
As cyber threats evolve, so do the tactics employed by attackers. It’s essential for organizations to stay vigilant and maintain updated security protocols to defend against such sophisticated campaigns.
