A new cybersecurity campaign known as OneClik targets energy, oil, and gas organizations by leveraging Microsoft's ClickOnce technology and customized Golang backdoors. Researchers from Trellix indicate that the tactics align with those of Chinese-affiliated threat actors. OneClik employs phishing attacks that use a .NET loader called OneClikNet, which deploys the RunnerBeacon backdoor. This method capitalizes on the cloud-based services of AWS to obscure communications, portraying a significant shift towards 'living-off-the-land' tactics to evade detection. The campaign utilizes ClickOnce applications to execute its code with limited permissions, bypassing traditional defenses.
The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, though attribution remains cautious, indicating a complex landscape of cybersecurity threats.
This method reflects a broader shift toward 'living-off-the-land' tactics, allowing attackers to blend malicious operations within cloud and enterprise tooling.
Collection
[
|
...
]