OneClik APT campaign targets energy sector with stealthy backdoors

Trellix cybersecurity researchers uncovered a new APT malware campaign, OneClik, targeting the energy, oil, and gas sectors. It abuses Microsoft’s ClickOnce deployment tech and custom Golang backdoors. While links to China-affiliated actors are suspected, attribution remains cautious.

Threat actors behind the campaign use stealthy “living off the land” tactics and cloud services to evade detection. They deploy Golang backdoors via .NET loaders abusing Microsoft ClickOnce, the campaign shows progressive evolution in evasion techniques, including anti-debugging and sandbox detection. Communication is hidden behind AWS services, making detection highly challenging.

“This stealthy operation unfolds across three distinct variants (v1a,BPI-MDM, andv1d), each using a .NET-based loader (“OneClikNet”) to deploy a sophisticated Golanguage backdoor (“RunnerBeacon”) that communicates with threat actor infrastructure hidden behind legitimate AWS cloud services [3] (CloudFront, API Gateway, Lambda).” reads the report published by Trellix. “This makes network-based detection nearly impossible without decryption or deep behavioral analysis.”

Read more at Security Affairs