New attack campaigns are leveraging seemingly harmless Microsoft and cloud services to deliver sophisticated malware, posing a significant threat to users and organizations. These campaigns exploit legitimate tools and platforms, making detection particularly challenging for traditional security measures.
A key component of this threat involves abusing Microsoft ClickOnce, a deployment technology designed for creating easy application installations. Attackers are crafting malicious ClickOnce applications that, once run, bypass standard security checks and install harmful payloads onto a victim’s system. This method is effective because users often trust installations initiated through seemingly legitimate software processes.
Simultaneously, adversaries are utilizing Amazon Web Services (AWS) infrastructure, specifically AWS S3 buckets and CloudFront, to host the malicious code and deliver it to victims. Using cloud services for hosting adds another layer of stealth, as traffic originating from or communicating with well-known cloud providers can easily blend in with legitimate network activity, making it harder for security systems to flag as suspicious. This technique effectively turns trusted cloud infrastructure into a covert delivery mechanism for malware.
The attack typically begins with phishing or social engineering tactics, luring users into downloading and executing the malicious ClickOnce application. Once executed, the application fetches the actual malware payload from the attacker-controlled AWS resources. The types of malware delivered can vary, including information stealers, remote access trojans (RATs), or even ransomware, allowing attackers to compromise systems, steal sensitive data, or establish persistent access.
The challenge for security teams lies in the fact that both ClickOnce and AWS are legitimate tools widely used in business environments. Distinguishing between malicious use and legitimate activity requires advanced behavioral analysis and threat intelligence. Organizations must enhance their monitoring capabilities, educate users about the risks associated with unexpected application installations, and implement robust endpoint detection and response (EDR) solutions that can identify suspicious processes and network connections, even when they involve trusted services. Preventing these covert attacks requires a multi-layered security approach focusing on initial intrusion vectors like phishing and detecting the subsequent malicious activity enabled by the abuse of legitimate infrastructure.
Source: https://www.bleepingcomputer.com/news/security/oneclik-attacks-use-microsoft-clickonce-and-aws-to-target-energy-sector/
