Analysis

A sophisticated advanced persistent threat (APT) campaign, dubbed 'OneClik', is actively targeting the global energy, oil, and gas sectors with a long-term, persistent effort, as evidenced by variants identified in the Middle East as far back as September 2023. The campaign leverages a 'living off the land' strategy, abusing trusted enterprise technologies to evade detection, specifically Microsoft's .NET ClickOnce deployment technology for initial payload delivery and Amazon's AWS services (CloudFront, API Gateway, Lambda) for command-and-control (C2) communications. This methodology makes the threat exceptionally difficult to detect with conventional signature-based or network-level security tools. The attackers employ advanced evasion techniques that have evolved across several variants, including .NET AppDomainManager hijacking for early-stage code injection, in-memory decryption, and sophisticated anti-analysis measures such as disabling ETW, anti-debugging checks, and sandbox fingerprinting (e.g., checking for >8GB RAM and domain-joined status). While Trellix notes a low-confidence link to Chinese-affiliated actors like APT41 based on overlapping tactics, techniques, and procedures (TTPs), the key takeaway is the systemic risk posed by the abuse of ubiquitous cloud and software platforms, a trend also seen in other campaigns utilizing Alibaba Cloud.