Full Report
Trellix Advanced Research Center exposed a sophisticated APT malware campaign dubbed OneClik, targeting the oil and gas and... The post Trellix details OneClik malware campaign targeting energy, oil and gas sectors using ClickOnce, cloud evasion appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Unknown APT Actor (Associated with OneClik Campaign)
## Attribution & Identity
Attribution remains tentative, though the campaign bears hallmarks of sophisticated Chinese-affiliated threat actors. There is a possible, low-confidence link suggested to threat actors such as **APT41**. The actor operates highly sophisticated campaigns utilizing evolving evasion tactics.
## Activity Summary
The actor is conducting a sophisticated APT malware campaign dubbed **OneClik**. The campaign focuses on initial access via spear-phishing emails containing links to a fake "hardware analysis" site. This site delivers a malicious Microsoft ClickOnce application (.application file) cloaked as a legitimate tool, which silently downloads and executes payloads. The threat actor utilizes three distinct variants (v1a, BPI-MDM, and v1d), progressively evolving their evasion techniques across each version. The ultimate goal involves deploying a sophisticated Golang backdoor named **RunnerBeacon**.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing, abuse of Microsoft ClickOnce for delivery and code execution (proxying execution through `dfsvc.exe`).
- **Execution/Defense Evasion:** Reliance on 'living off the land' techniques. Early injection via **.NET AppDomainManager hijacking** in the CLR startup process, causing legitimate executables (e.g., `ZSATray.exe`, `umt.exe`, `ied.exe`) to load attacker-controlled DLLs.
- **Evasion (v1a):** Manual relocation of core system modules in memory; disabling Event Tracing for Windows (ETW) by patching `EtwEventWrite` and `NtTraceEvent`.
- **Evasion (BPI-MDM):** Dedicated thread for continuous anti-debugging checks using `Debugger.IsAttached`, `CheckRemoteDebuggerPresent`, and `NtQueryInformationProcess`. (Aligned with ATT&CK T1622).
- **Evasion (v1d):** Intense sandbox/VM fingerprinting, including checking for domain/Azure AD joining status (`NetGetJoinInformation`, `NetGetAadJoinInformation`) and executing only on systems with > 8 GB of physical memory (`GlobalMemoryStatusEx`).
- **Payload Delivery:** Use of .NET loaders to deliver Base64-encoded and AES-encrypted shellcode for in-memory execution. Payloads often mimic Cobalt Strike behavior.
- **Persistence/Staging:** Cloud infrastructure abuse.
## Targeting
- **Sectors:** Oil and Gas, Energy.
- **Geography:** Not explicitly detailed, but attribution hypotheses point towards Chinese-affiliated operations.
- **Victims:** Organizations within the critical infrastructure sectors mentioned above.
## Tools & Infrastructure
- **Malware Families:** **RunnerBeacon** (a sophisticated Golang backdoor), various **.NET-based loaders**.
- **Infrastructure (C2):** Abuses legitimate AWS cloud services for C2 communications, specifically **CloudFront, API Gateway, and Lambda**. This is used to disguise beacon traffic. Staging components may also use services like Alibaba Cloud in similar actor campaigns.
## Implications
This actor demonstrates high sophistication, heavily leveraging fileless and living-off-the-land (LotL) techniques via legitimate OS functions (ClickOnce/dfsvc.exe) to proxy malicious execution while evading standard defenses. The evolution across variants, particularly the intense anti-analysis measures in v1d, suggests a targeted, long-term espionage goal focused on high-value critical infrastructure. The C2 obfuscation using major cloud providers makes network detection extremely challenging without decryption or deep behavioral analysis.
## Mitigations
- **Focus on Behavioral Detection:** Prioritize detection logic based on known TTP clusters, such as ClickOnce abuse, .NET AppDomainManager hijacking, and unusual process behavior from `dfsvc.exe`.
- **Monitor .NET Runtime Integrity:** Implement strong monitoring for CLR startup manipulations and .NET configuration tampering.
- **Network Visibility:** Deploy tools capable of deep packet inspection or decryption to analyze traffic destined for legitimate AWS services (CloudFront/API Gateway) exhibiting beaconing behavior.
- **Harden Analysis Environments:** Ensure automated analysis sandboxes are configured with high memory specifications and appropriate domain/AD joining status to prevent sandbox evasion techniques found in the v1d variant.
- **Restrict ClickOnce Usage:** If possible, restrict or strictly vet the use of Microsoft ClickOnce for application deployment, especially from external or untrusted sources.