OneClik exemplifies a shift toward living-off-the-land (LOTL) tactics, where attackers exploit legitimate system features to execute malicious payloads without triggering standard security alerts.
OneClik uses Microsoft ClickOnce, a technology that installs applications easily without needing much user input or special permissions, to run its programs under the safe Windows process dfsvc.exe.
This method helps the malware mix in with regular system activity, avoiding detection by signature-based systems and bypassing security measures that prevent privilege escalation.
Abuse of Microsoft ClickOnce bypasses traditional privilege and detection barriers
ClickOnce applications run with user-level permissions and do not require User Account Control prompts, making them an attractive vector for attackers.
OneClik uses a .NET-based loader called OneClikNet that hijacks the .NET runtime via AppDomainManager injection to load malicious DLLs stealthily.
This technique enables the malware to execute encrypted shellcode entirely in memory, avoiding disk-based detection and complicating forensic analysis.
Did you know?
Microsoft ClickOnce technology was introduced in .NET Framework 2.0 to simplify application deployment, but its user-level permission model and trusted Windows process execution have been exploited by threat actors to bypass security controls.
Cloud infrastructure exploitation masks command-and-control communications
OneClik’s command-and-control (C2) infrastructure is hosted within legitimate Amazon Web Services (AWS) domains, including CloudFront, API Gateway, and Lambda.
By routing C2 traffic through these trusted cloud services, the malware’s network communications appear as normal enterprise cloud usage.
This “hiding in the cloud” tactic renders traditional network-based detection tools ineffective, as defenders face the dilemma of decrypting SSL traffic or blocking entire AWS domains, which is often impractical.
ALSO READ | Social Engineering Tactics Like ClickFix and FileFix Fuel Ransomware and Credential Theft
Modular Golang backdoor RunnerBeacon enhances operational flexibility and evasion
The final payload, RunnerBeacon, is a sophisticated Golang backdoor capable of communicating over multiple protocols such as HTTP(s), WebSockets, raw TCP, and SMB named pipes.
It supports a wide range of malicious operations, including file manipulation, process control, shell command execution, privilege escalation, and lateral movement.
Its design mirrors advanced Cobalt Strike beacons, but with enhancements for cloud-friendly, stealthy operations, further complicating detection and response.
Evolving variants demonstrate increasing sophistication and detection resistance
Since its initial detection, OneClik has evolved through multiple variants (v1a, BPI-MDM, v1d), each introducing improved anti-analysis features such as sandbox detection, anti-debugging loops, memory checks to avoid low-resource virtual environments, and encrypted in-memory payload execution.
These incremental advancements highlight the campaign’s adaptability and the increasing difficulty for defenders relying on traditional endpoint protection and signature-based tools.
Comments (0)
Please sign in to leave a comment