Hackers Use Microsoft Tool To Infiltrate Oil and Gas Infrastructure

Researchers uncovered a stealthy malware campaign that attacks energy systems through Microsoft ClickOnce cloud obfuscation and the powerful backdoor known as RunnerBeacon

The Trellix research team identified a new cyberattack named “OneClik” which uses sophisticated methods to infiltrate energy and oil and gas companies’ security systems.

The attackers use phishing emails to deliver attacks which use the Microsoft ClickOnce application to deceive users into installing harmful software through a fake hardware analysis tool.

The victim opens the link which triggers the download of a fake tool before ‘‘dfsvc.exe’’ runs it. The legitimate Windows process accepts hidden malware through advanced programming techniques.

Once inside, the malware installs a backdoor called “RunnerBeacon,” which quietly connects to hacker-controlled servers disguised as Amazon cloud services, making it nearly impossible to detect.

The researchers note that the RunnerBeacon, written in the Go programming language, is highly advanced. Indeed, it can run commands, steal files, take over network traffic, and even hide from investigators using anti-debugging tools and system checks.

The researchers report that the malware evolves across three versions, with each new one improving its ability to avoid detection, including scanning for whether it’s running in a secure virtual environment.

OneClik’s infrastructure is designed to blend in with legitimate cloud traffic. Amazon CloudFront and Lambda services operate as trusted corporate network tools to conceal malware communications.

Additionally, the “living off the land” approach enables evasive capabilities by integrating into daily digital activities which makes detection more challenging.

Researchers say they cannot confirm the identity behind OneClik, however, the cyber operation demonstrates a prolonged sophisticated strategy that targets critical infrastructure systems.