OneClik Malware

A recent cybersecurity incident exposed how OneClik malware bypassed defenses in critical infrastructure firms using Microsoft’s ClickOnce framework. The breach didn’t start with a zero-day exploit or a sophisticated spear-phish. It began with a single click on a trusted-looking link.

Attackers leveraged a hardware analysis website to lure victims. Within moments, a malicious package was installed silently, granting remote access deep into enterprise networks. The backdoor—RunnerBeacon—proved capable of far more than simple data theft. It enabled lateral movement, persistence, and total command execution across domains.

---

Threat Overview

Category: Backdoor malware
Targeted sectors: Energy, oil and gas, industrial control systems
Main payload: RunnerBeacon
Initial vector: ClickOnce application masquerading as legitimate software
Why it matters: Allows complete remote control of infected systems and lateral movement inside secure environments

---

In-Depth Analysis

Infection Vector

OneClik campaigns typically begin with targeted phishing emails. These contain links to cloned or fake websites claiming to offer hardware diagnostic software. Victims—often engineers or IT admins—are prompted to install a benign-looking application using Microsoft’s ClickOnce deployment method.

Unlike traditional installers, ClickOnce runs silently via dfsvc.exe, a legitimate Microsoft binary. This abused trust chain avoids standard User Account Control (UAC) prompts and endpoint detection. Once the application runs, the backdoor is deployed.

Behavioral Profile

RunnerBeacon is a Golang-based backdoor that installs with minimal system disruption. It includes:

• Command execution (cmd, PowerShell)
• System and domain reconnaissance
• Lateral movement using built-in Windows tools
• Communication via multiple channels (HTTP/S, TCP, WebSocket, SMB named pipes)
• Persistence via registry modifications and scheduled tasks
• Real-time remote access for attackers

Three variants have been observed in the wild:

• v1a: Original version, limited to command execution
• BPI‑MDM: Targeted oil sector companies
• v1d: Includes obfuscation, improved stealth, and pipe-based command relay

RunnerBeacon communicates with command-and-control servers over encrypted channels, blending with normal traffic and avoiding signature-based detection.

Risk Assessment

This malware campaign poses a severe risk to operational technology environments. RunnerBeacon’s command capabilities, combined with its ability to persist silently, make it ideal for pre-ransomware staging or long-term espionage.

No ransom demand is made directly. However, access gained through OneClik can be sold to ransomware affiliates or nation-state groups.

Past incidents show attackers using this access to:

• Disable industrial monitoring tools
• Extract confidential SCADA configurations
• Install secondary payloads including ransomware or data wipers

ClickOnce misuse makes detection challenging. Most antivirus suites ignore dfsvc.exe activity unless behavioral monitoring is enabled.

---

Artifact Text (Fake Installer Prompt)

Hardware Analysis Tool v1.2

Downloading required components...
Please wait while your system is analyzed.

[No further prompts displayed.]

The installer behaves like a legitimate update, giving users no indication that a backdoor is being planted.

Manual Removal of Backdoor Malware

(Note: Manual removal can be complex and risky. If performed incorrectly, it may cause system instability. Proceed with caution or use the automated SpyHunter method below.)

Step 1: Restart in Safe Mode with Networking

To prevent the backdoor malware from running, restart your computer in Safe Mode with Networking:

1. Press Windows + R, type msconfig, and press Enter.
2. Navigate to the Boot tab.
3. Check Safe boot and select Network.
4. Click Apply > OK and restart your PC.

---

Step 2: Terminate Malicious Processes in Task Manager

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for suspicious processes that may be linked to the backdoor malware. Common signs include:
   • Unrecognized processes consuming high CPU or memory.
   • Randomly named processes (e.g., svchost32.exe, systemupdate.exe).
3. Right-click on any suspicious process and select End Task.

---

Step 3: Delete Suspicious Files from System Folders

1. Press Windows + R, type %AppData% and press Enter.
2. Check for suspicious folders and files, such as unknown .exe or .dll files.
3. Navigate to the following locations and remove suspicious files:
   • C:\Users\YourUserName\AppData\Local
   • C:\Users\YourUserName\AppData\Roaming
   • C:\ProgramData
   • C:\Windows\System32\drivers
   • C:\Windows\Temp

---

Step 4: Remove Malicious Entries from the Windows Registry

1. Press Windows + R, type regedit, and hit Enter.
2. Navigate to the following keys:
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. Look for entries with random names or unknown applications.
4. Right-click and select Delete.

(Caution: Editing the Registry incorrectly can cause serious issues. Back up your registry before making changes.)

---

Step 5: Reset Browser Settings

Backdoor malware may modify browser settings to redirect traffic or steal credentials. Reset your browsers:

Google Chrome

1. Open Chrome, type chrome://settings/reset in the address bar, and press Enter.
2. Click Restore settings to their original defaults > Reset settings.

Mozilla Firefox

1. Open Firefox, type about:support in the address bar, and press Enter.
2. Click Refresh Firefox > Confirm.

Microsoft Edge

1. Open Edge, go to Settings > Reset Settings.
2. Click Restore settings to their default values > Reset.

---

Step 6: Scan for Remaining Threats

After manual removal, use Windows Defender or a third-party antivirus to scan your system for remaining threats.

1. Press Windows + I > Update & Security > Windows Security.
2. Click Virus & threat protection > Quick Scan.

---

Remove Backdoor Malware with SpyHunter (Recommended)

SpyHunter is a powerful anti-malware tool that can detect and remove backdoor malware without requiring technical expertise.

Step 1: Download SpyHunter

1. Go to the official SpyHunter download page: Download SpyHunter
2. Click the Download Now button.

---

Step 2: Install SpyHunter

1. Locate the downloaded SpyHunter-Installer.exe file and double-click it.
2. Follow the on-screen instructions to complete the installation.
3. Launch SpyHunter after installation.

---

Step 3: Perform a Full System Scan

1. Click Start Scan Now.
2. SpyHunter will scan your system for backdoor malware and other threats.
3. Once the scan is complete, review the detected threats.

---

Step 4: Remove Detected Malware

1. Click Fix Threats to remove all detected malware.
2. If prompted, restart your computer to complete the removal process.

---

Step 5: Enable SpyHunter's Real-Time Protection

To prevent future infections:

1. Open SpyHunter and go to Settings.
2. Enable Real-Time Malware Protection.
3. Keep SpyHunter updated to stay protected against the latest threats.

---

How to Prevent Backdoor Malware Infections

• To keep your system safe, follow these security best practices:
• Avoid downloading cracked software – Many backdoors hide in illegal downloads.
• Keep Windows and software updated – Install security patches regularly.
• Use strong passwords – Prevent unauthorized remote access.
• Enable two-factor authentication (2FA) – Adds an extra security layer.
• Scan email attachments before opening – Phishing emails often carry malware.
• Use a firewall – Block unauthorized network connections.

---

Conclusion

OneClik malware demonstrates how attackers can exploit trusted software channels to infiltrate high-value targets. RunnerBeacon’s stealth, modularity, and persistence make it one of the more dangerous threats seen in recent months, especially in industrial environments.

Early detection is critical. Disabling ClickOnce where unnecessary, enforcing strict application allowlisting, and inspecting outbound network behavior can help prevent infection. If a breach is suspected, incident response teams should assume domain-wide compromise.

Relying on signature-based antivirus alone isn’t enough. Behavioral monitoring, EDR platforms, and forensic triage are essential to detect and remove threats like RunnerBeacon.