Trellix researchers discovered a sophisticated cyber-espionage campaign targeting the global energy, oil, and gas sector. Dubbed ‘OneClik’, the operation leverages phishing emails and abuses Microsoft’s ClickOnce deployment technology to infiltrate enterprise systems.
The campaign appears to be aligned with Chinese-affiliated threat actors, although researchers didn’t attribute it to anu known threat actor. OneClik’s tactics point to the involvement of advanced persistent threat (APT) groups that often use legitimate system tools and cloud infrastructure, a method known as “living off the land,”to bypass traditional security defenses.
The campaign involves three variants,v1a, BPI-MDM, and v1d, with all of them utilizing a custom-built .NET loader named OneClikNet. This loader delivers a Golang-based backdoor known as RunnerBeacon, which communicates with attacker-controlled servers hidden behind legitimate Amazon Web Services (AWS) platforms such as CloudFront, API Gateway, and Lambda.
Attackers lure victims through phishing emails linked to a fake “hardware analysis” website. When visited, the site deploys a ClickOnce application disguised as a legitimate tool. ClickOnce allows remote applications to install and run with minimal user interaction
The ClickOnce loader uses AppDomainManager hijacking, a technique that manipulates .NET configuration files to force trusted executables (e.g., ZSATray.exe, umt.exe, ied.exe) to load a malicious DLL during runtime. Once executed, the loader operates under dfsvc.exe, which is a trusted Microsoft process, blending in with legitimate system activity and making detection difficult.
The Tactics, Techniques, and Procedures (TTPs) used in the observd campaign overlap with TTPs of known Chinese APT operations such as Earth Baxia, GrimResource, and AhnLab’s MSC file abuse campaign, the researchers noted.
The say that a variant of RunnerBeacon was previously observed in a Middle Eastern oil and gas environment in late 2023, suggesting long-term persistence targeting the energy sector.
“Despite the strong overlap in techniques, we emphasize a cautious attribution stance. We assess a possible with low-confidence link between OneClik and Chinese threat actors such as APT41. In the absence of “smoking gun” indicators, we refrain from definitively attributing OneClik to any specific threat actor or nation,” Trellix noted.
