A red team exercise simulated attacks against organizations in the oil, gas, and energy sectors with the Golang-based RunnerBeacon backdoor as part of the new OneClik attack campaign, which has three variants, all of which involve the abuse of the Microsoft ClickOnce tool and various AWS cloud services, reports BleepingComputer.
The exercise simulated attacks beginning with the distribution of malicious emails with a link redirecting to a counterfeit Azure-hosted hardware analysis site to deliver a legitimate tool-spoofing ClickOnce manifest that then leverages AppDomainManager injection to facilitate eventual RunnerBeacon compromise, according to an analysis from Trellix. AWS services were used by the red team to demonstrate how attackers might conceal malicious activity. Aside from enabling shell command execution and process enumeration, RunnerBeacon, designed to simulate capabilities of tools like the Go-based Geacon backdoor demonstrated file operations, port scanning and other network-related activities, and SOCKS5 tunnel creation for data traffic proxying. While tactics used in the OneClik campaign resembled those of Chinese-linked threat actors, this was part of the red team's emulation of known APT techniques rather than evidence of actual nation-state involvement.
Critical Infrastructure Security, Email security, Cloud Security
Red Team simulates Microsoft ClickOnce, AWS abused in critical infrastructure attacks
(Adobe Stock)
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds