Tactics used in the OneClik campaign resembled those of state-sponsored actors.
Organisations in the oil, gas, and energy sectors have been compromised with the Golang-based RunnerBeacon backdoor as part of the new OneClik attack campaign.
According to an analysis from Trellix and reported by BleepingComputer, intrusions commenced with the distribution of malicious emails with a link redirecting to a counterfeit Azure-hosted hardware analysis site. This delivered a legitimate tool-spoofing ClickOnce manifest, which leveraged AppDomainManager injection to facilitate eventual RunnerBeacon compromise. AWS services were then leveraged by attackers to conceal illicit activity.
Aside from enabling shell command execution and process enumeration, RunnerBeacon — which had similarities with the Go-based Geacon backdoor — also facilitated file operations, port scanning and other network-related activities, and SOCKS5 tunnel creation for data traffic proxying.
While tactics used in the OneClik campaign resembled those of Chinese-linked threat actors, further analysis is needed to solidify the attribution, said Trellix researchers.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
