The Trellix research team identified a new cyberattack named “OneClik” which uses sophisticated methods to infiltrate energy and oil and gas companies’ security systems. The attackers use phishing emails to deliver attacks which use the Microsoft ClickOnce application to deceive users into installing harmful software through a fake hardware analysis tool. The victim opens the link which triggers the download of a fake tool before ‘‘dfsvc.exe’’ runs it. The legitimate Windows process accepts hidden malware through advanced programming techniques. The researchers note that the RunnerBeacon, written in the Go programming language, is highly advanced. Indeed, it can run commands, steal files, take over network traffic, and even hide from investigators using anti-debugging tools and system checks. The researchers report that the malware evolves across three versions, with each new one improving its ability to avoid detection, including scanning for whether it’s running in a secure virtual environment. Additionally, the “living off the land” approach enables evasive capabilities by integrating into daily digital activities which makes detection more challenging. Researchers say they cannot confirm the identity behind OneClik, however, the cyber operation demonstrates a prolonged sophisticated strategy that targets critical infrastructure systems.
