Blog • Campaigns

EPOINT-AES: Detection Engineering Notes for North Korean APT DLL Loader

Siddhant
APTSecurityAnalyticsSecurityOperations

Introduction

This Detection engineering brief is based on the analysis of an advanced North Korean APT multi-stage malware framework (EPOINT-AES) documented in my previous blog. The malware represents a sophisticated attack chain incorporating AES-encrypted payloads, Donut-generated shellcode, AMSI bypass techniques, and memory-only execution patterns. The framework is designed for covert operations with multiple evasion techniques at each stage.

This brief specifically focuses on detection strategies using Sysmon logs only, without making assumptions about additional security tools or environment configurations. The goal is to provide actionable detection guidance for security teams facing similar threats.

Note on Naming: The “EPOINT-AES” name derives from two key technical characteristics of the malware: 1) The use of “EPoint” as the export function name in the DLL loader, and 2) The implementation of AES encryption to protect its shellcode payload. This naming convention reflects actual code elements rather than an arbitrary designation.

Overview

This brief outlines detection strategies for the multi-stage DLL Loader malware framework using Sysmon logs only. The detection approach focuses on observable behaviors and indicators without making assumptions about the environment or additional tools.

Relevant Sysmon Event IDs

Event ID 1: Process Creation

  • Monitor for rundll32.exe execution patterns with suspicious arguments
  • Look for DLL loading with explicit entry point parameters (e.g., rundll32.exe loader.dll,EPoint)
  • Capture command line arguments that may contain encryption keys

Event ID 3: Network Connections

  • Detect outbound connections from unexpected processes (PowerShell runspaces, rundll32)
  • Focus on connections to port 443 that aren’t using standard TLS/HTTPS (raw TCP)
  • Monitor for data exfiltration patterns (large outbound transfers)

Event ID 7: Image (DLL) Loaded

  • Track DLLs loaded by rundll32.exe, especially newly observed ones
  • Identify DLLs with unusual export names like “EPoint”
  • Correlate with processes that don’t typically load custom DLLs

Event ID 8: CreateRemoteThread

  • Detect when rundll32.exe or other processes create threads in other processes
  • Look for memory allocation and execution patterns typical of shellcode injection

Event ID 10: Process Access

  • Monitor for suspicious process access patterns, especially targeting protected processes
  • Look for memory read/write operations from rundll32.exe to other processes

Event ID 11: File Creation

  • Identify any temporary files created during the infection chain
  • May be limited since this malware operates primarily in-memory

Event ID 22: DNS Queries

  • Monitor DNS queries to suspicious or newly observed domains
  • May provide early warning of C2 communication attempts

Detection Strings and Patterns

Process Command Lines

rundll32.exe *loader*.dll,EPoint*

rundll32.exe *.dll,EPoint *

Process Access and Memory Patterns

  • Monitor for suspicious process access patterns (Event ID 10)
  • Look for CreateRemoteThread operations (Event ID 8)
  • Watch for rundll32.exe accessing other processes with unusual access masks

DLL Export Names

  • Focus on suspicious export names like “EPoint”
  • Non-standard export names that don’t follow typical naming conventions

Network Indicators

  • TCP connections to port 443 from rundll32.exe that aren’t HTTPS
  • PowerShell-related processes establishing outbound connections
  • Detect potential variable name patterns (Linkin Park band members) in PowerShell memory

AMSI Bypass Indicators

  • Look for memory modifications to amsi.dll
  • Detect access to AMSI-related registry keys or API calls
  • Monitor for AmsiScanBuffer or similar API failures

Process Relationships

  • rundll32.exe spawning PowerShell-related processes
  • Unexpected child processes of rundll32.exe
  • .NET runtime loading in unusual process contexts

Analytic Approach

  1. Establish Baseline:
  • Document normal rundll32.exe usage in your environment
  • Identify legitimate DLL exports commonly used
  1. Correlation Strategy:
  • Chain Event ID 1 (process creation) with Event ID 7 (DLL loaded)
  • Link Event ID 3 (network connections) with unexpected processes
  • Correlate process access events (ID 10) and remote thread creation (ID 8) with network activity
  1. Prioritization:
  • Focus on rundll32.exe behaviors first
  • Monitor for PowerShell execution without powershell.exe
  • Watch for .NET activity in unexpected processes
  1. Hunt Strategy:
  • Search for rundll32.exe with unusual command line arguments
  • Look for DLLs with single, simple export names
  • Identify memory allocations with execute permissions
  • Monitor for non-browser processes connecting to port 443

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy