A sophisticated hacking campaign dubbed “OneClik” is exploiting Microsoft’s ClickOnce deployment technology and AWS cloud services to stealthily target organizations in the energy, oil, and gas sectors. Attackers initiate the attack through phishing emails containing links to fake “hardware analysis” sites hosted on Azure Blob Storage. These sites deliver a ClickOnce manifest (.application file) disguised as legitimate software.
Attack Mechanics
ClickOnce applications execute under Microsoft’s Deployment Service (dfsvc.exe), allowing malicious payloads to run without triggering User Account Control (UAC). The loader uses .NET AppDomainManager hijacking – by tampering with .exe.config settings, it forces legitimate .NET executables (e.g., ZSATray.exe) to load a malicious DLL instead of genuine dependencies. Payload execution occurs within dfsvc.exe, blending with benign ClickOnce activity to evade detection.
AWS for Command-and-Control (C2) Obfuscation
Attackers route C2 traffic through legitimate AWS services – CloudFront and API Gateway (early variants) or AWS Lambda function URLs (later variants), making C2 traffic appear as standard AWS communication. This “hiding in the cloud” strategy leverages AWS’s trust and ubiquity, rendering network-based detection ineffective without SSL decryption.
Malware Evolution
Three variants demonstrate increasing sophistication:
1. v1a: Basic CloudFront/API Gateway C2.
2. BPI-MDM: Enhanced anti-analysis (anti-debugging loops, sandbox evasion).
3. v1d: Uses Lambda URLs for callbacks and employs a Golang backdoor (RunnerBeacon) for persistence.
Attribution and Targets
Tactics (e.g., .NET hijacking, in-memory decryption) align with Chinese APT groups, though attribution remains cautious. Energy sector entities are primary targets, with evidence of activity in Middle Eastern oil/gas sectors since 2023.
