In a detailed investigation, cybersecurity firm Trellix has revealed a highly stealthy and technically advanced cyber campaign dubbed OneClik, which targets companies in the energy, oil, and gas sectors. The operation leverages Microsoft’s ClickOnce deployment tool and a custom Golang-based backdoor named RunnerBeacon, while also masking its malicious communication using legitimate Amazon Web Services (AWS) infrastructure.
Researchers analyzed three distinct variants of the campaign—v1a, BPI-MDM, and v1d—each displaying sophisticated anti-analysis and evasion techniques. The attacks begin with phishing emails that distribute ClickOnce .APPLICATION manifests, disguised as legitimate utilities. These payloads run under dfsvc.exe, bypassing user privilege escalation prompts and blending into normal system processes.
Infection Chain Uses Microsoft Tech and AWS to Avoid Detection
The infection begins with a ClickOnce loader executing via a phishing link hosted on Microsoft Azure, delivering malware without triggering User Account Control. Using AppDomainManager injection, attackers hijack trusted .NET executables like ZSATray.exe or umt.exe, which then quietly load malicious assemblies under the guise of legitimate software.
Communication with command-and-control (C2) servers is cleverly disguised using AWS services—including Cloudfront, Lambda, and API Gateway. These cloud assets make it extremely difficult for defenders to isolate malicious traffic without disrupting legitimate cloud activity.
One variant (v1a) used Cloudfront and API Gateway for callbacks, while a later version (v1d) integrated an AWS Lambda function as its C2 endpoint. The campaign thus illustrates how trusted cloud platforms are being weaponized for stealth operations.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Golang-Based RunnerBeacon: Modular, Encrypted, and Evasive
The malware at the center of OneClik’s payload is RunnerBeacon, a powerful backdoor written in Go and encrypted using the RC4 cipher. Data is serialized using MessagePack, allowing for lightweight and flexible communication.
RunnerBeacon supports a wide range of operations:
- Shell command execution
- File uploads/downloads
- Process enumeration
- Port scanning
- SOCKS5 proxy setup
- Process injection for privilege escalation
To avoid detection, it introduces randomized beacon intervals and delays via an “obfuscate_and_sleep” function. Researchers noted similarities between RunnerBeacon and the Geacon family, a known Go-based version of Cobalt Strike, suggesting this tool may be a fork or privately modified version for stealth and cloud compatibility.
Attribution Unclear but Hints at China-Linked Activity
While no definitive attribution has been made, Trellix notes strong overlaps in tactics and tooling with China-affiliated threat actors. Techniques like .NET AppDomainManager injection and the use of cloud staging services have been consistently linked to past Chinese state-sponsored campaigns.
Additionally, a related RunnerBeacon variant was spotted in the Middle East as far back as September 2023, indicating the campaign may have been active longer than initially believed.
Despite these indicators, Trellix has withheld a conclusive attribution, instead focusing on the urgent need for organizations in critical sectors to monitor cloud activity and strengthen defenses against obfuscated malware loaders and phishing-based deployment techniques.
A full list of Indicators of Compromise (IOCs) related to OneClik, including payloads, domains, executables, and configurations, has been provided by Trellix to help defenders detect and mitigate potential breaches.
