Full Report
A sophisticated malicious campaign that researchers call OneClik has been leveraging Microsoft's ClickOnce software deployment tool and custom Golang backdoors to compromise organizations within the energy, oil, and gas sectors. [...]
Analysis Summary
# Tool/Technique: RunnerBeacon / Geacon Variant (OneClik Campaign)
## Overview
This summary covers malware components and techniques observed in the "OneClik" campaign, which targets sectors like energy and oil/gas. The campaign leverages legitimate Microsoft mechanisms (ClickOnce) and cloud services (AWS) for stealthy execution and command and control (C2). A key component identified is a variant of the RunnerBeacon loader, which closely resembles a variant of Geacon.
## Technical Details
- **Type:** Malware Loader (RunnerBeacon variant, related to Geacon)
- **Platform:** Windows (implied by reliance on Microsoft ClickOnce)
- **Capabilities:** Stealthy initial execution, payload deployment, cloud-friendly C2 infrastructure utilization, use of proprietary injection techniques.
- **First Seen:** September 2023 (for the closely related RunnerBeacon variant); March 2024 (for the OneClik campaign discovery).
## MITRE ATT&CK Mapping
The article implies several techniques related to execution, defense evasion, and command and control:
- **TA0005 - Defense Evasion**
- **T1055 - Process Injection**
- **T1055.011 - .NET AppDomainManager Injection** (Explicitly mentioned)
- **TA0002 - Execution**
- **T1204.002 - User Execution: Malicious File** (Implied by initial phishing/delivery leading to ClickOnce execution)
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol** (Likely using HTTP/S via AWS infrastructure)
## Functionality
### Core Capabilities
- **Stealthy Delivery and Execution:** Leveraging Microsoft ClickOnce to deploy and execute malicious code, potentially bypassing traditional application control measures.
- **Payload Staging:** Deploying an encrypted payload via a specifically designed method.
### Advanced Features
- **.NET AppDomainManager Injection:** Utilizes this specific technique for process injection, noted as characteristic of some China-affiliated threat actors.
- **Cloud-Based Infrastructure:** Preference for utilizing legitimate cloud services like AWS for staging and C2 operations to blend in with normal traffic.
- **C2 Variant:** Described as a blend, potentially a Geacon variant, tailored for stealth and cloud-friendliness.
## Indicators of Compromise
*Note: The article mentions a comprehensive list exists in the Trellix report, but none are explicitly provided in the excerpt, only categories.*
- **File Hashes:** [Not provided]
- **File Names:** [Not provided; components include phishing lures, malware loaders, backdoor binaries, and configuration files]
- **Registry Keys:** [Not provided]
- **Network Indicators:** Cloud-based staging using services from Amazon (AWS) and Alibaba. (Defanged: `aws.com`, `alibaba.com` usage patterns)
- **Behavioral Indicators:** Deployment via ClickOnce, use of ".NET AppDomainManager injection," encrypted payload delivery.
## Associated Threat Actors
- **Cautiously attributed to China-affiliated state actors:** Based on TTP overlaps (e.g., use of `.NET AppDomainManager injection` and preference for cloud staging services like Alibaba and Amazon). Attribution is not definitive.
## Detection Methods
- **Signature-based detection:** Possible against known C2 infrastructure domains (if harvested) and compiled binaries.
- **Behavioral detection:** Detection tailored for the execution flow involving ClickOnce abuse and post-exploitation actions like `.NET AppDomainManager injection`.
- **YARA rules:** [Not provided]
## Mitigation Strategies
- **Application Control:** Restricting the execution of unsigned or unusual applications deployed via ClickOnce when not expected.
- **Cloud Monitoring:** Enhanced scrutiny of traffic patterns and activity originating from or directed towards legitimate cloud services (AWS, Alibaba) used unusually by internal assets for C2 or staging.
- **Network Segmentation/Monitoring:** Monitoring for beaconing or communication patterns characteristic of malware loaders like RunnerBeacon/Geacon variants.
- **Patch Management:** (General recommendation related to the context of security updates, though not directly tied to ClickOnce abuse mechanism identified here).
## Related Tools/Techniques
- **Geacon:** The malware is described as a variant of a Geacon loader.
- **RunnerBeacon:** The specific variant identified in older activity shares nearly identical code structure.