Blog • Campaigns

EPOINT-AES: North Korean APT Multi-Stage DLL Loader Framework

Siddhant
APTSecurityAnalyticsSecurityOperations

Introduction

This analysis documents a sophisticated multi-stage malware framework discovered during an investigation into North Korean Advanced Persistent Threat (APT) activities. The framework was identified as part of a broader campaign targeting critical infrastructure and high-value intelligence targets.

The technical assessment in this document results from reverse engineering efforts performed on malware samples recovered from compromised systems. The framework represents a significant evolution in North Korean cyber capabilities, demonstrating advanced knowledge of Windows internals, anti-analysis techniques, and memory-resident operations.

Security researchers and threat intelligence teams should consider this analysis a high-confidence attribution to North Korean state-sponsored actors, based on code similarities, operational patterns, and tactical overlaps with previously documented campaigns. The techniques documented here align with the persistent focus on evasion and operational security typical of this threat actor.

This directory contains artifacts from this sophisticated multi-stage malware framework designed for advanced evasion of security controls. It’s part of the North Korean APT toolkit and represents a highly capable attack chain with multiple evasion techniques.

Note on Naming: This malware framework has been named “EPOINT-AES” based on two of its key technical characteristics: 1) The use of “EPoint” as the export function name in the DLL loader, and 2) The implementation of AES encryption to protect the shellcode payload. This naming convention connects directly to observable elements within the code rather than using an arbitrary codename.

Framework Components & Attack Chain

  1. AES-Encrypted DLL Loader
  • Uses a DLL as the initial payload that can be executed via rundll32
  • Implements AES encryption of the shellcode payload with either embedded or runtime-supplied keys
  • Employs anti-analysis techniques like string obfuscation and API resolution at runtime
  1. Donut-Generated Shellcode
  • Uses Donut to convert .NET executables into position-independent shellcode
  • Avoids typical shellcode patterns that would trigger AV/EDR detection
  • Includes built-in AMSI/WLDP/ETW bypass capabilities
  1. C# AMSI Bypass Loader
  • Patches AMSI (Antimalware Scan Interface) via .NET reflection
  • Downloads a PowerShell script from an attacker-controlled server
  • Executes the PowerShell script in memory without touching disk
  1. PowerShell Reverse Shell
  • Establishes a TCP connection to the attacker’s machine
  • Creates an interactive PowerShell session
  • Uses variable name obfuscation (Linkin Park band member names) to evade detection
  • Implements command execution and output redirection

Key Evasion Techniques

  1. Multi-Layer Encryption
  • AES encryption of shellcode
  • Base64 encoding of strings in C# code
  • String obfuscation in C++ code via character shifting
  1. Memory-Only Execution
  • No payloads written to disk
  • In-memory decryption and execution
  • PowerShell script loaded directly into memory
  1. Anti-Analysis Features
  • AMSI bypass to prevent PowerShell script scanning
  • Dynamic API resolution to avoid static analysis
  • String obfuscation to bypass signature detection
  • Binary patching to modify strings in the compiled DLL
  1. Legitimate Execution Paths
  • Uses rundll32.exe (a legitimate Windows binary)
  • Leverages .NET reflection (legitimate programming technique)
  • PowerShell runspace execution instead of suspicious PowerShell.exe process

Technical Details

ShellcodeEncrypt2Dll.py

  • Takes raw shellcode and encrypts it with AES
  • Embeds the encrypted shellcode into a C++ template
  • Compiles the result into a DLL using MinGW
  • Supports two modes:
    • Standalone: Key embedded in DLL
    • Non-standalone: Key supplied at runtime

template.cpp

  • Implements the DLL loader with export function “EPoint”
  • Dynamically resolves Windows APIs to avoid import table detection
  • Decrypts the embedded shellcode using AES
  • Allocates executable memory and executes the shellcode
  • Uses string obfuscation via character shifting

Loader.cs

  • C# code that gets converted to shellcode via Donut
  • Patches AMSI using .NET reflection to bypass security scanning
  • Downloads a PowerShell script from a hardcoded IP address
  • Executes the PowerShell script in memory using Runspace

shell.ps1

  • PowerShell reverse shell implementation
  • Creates a TCP connection to attacker’s IP (192.168.1.94:443)
  • Uses variable name obfuscation (Linkin Park band member names)
  • Provides interactive command execution with working directory display

patch.py

  • Additional evasion technique to modify strings in the compiled DLL
  • Replaces “Virtual” with “Blahbla” in the .rdata section
  • Used to bypass signature-based detection

Operational Usage

The toolkit is designed for a multi-stage attack:

  1. The attacker delivers the DLL to the target system
  2. The DLL is executed via rundll32: rundll32 loader.dll,EPoint [key]
  3. The DLL decrypts and executes the embedded Donut shellcode
  4. The shellcode runs the C# loader which patches AMSI
  5. The C# code downloads and executes the PowerShell script
  6. The PowerShell script establishes a reverse shell to the attacker

This represents a highly sophisticated attack chain with multiple evasion techniques at each stage, designed to bypass modern security controls including Windows Defender.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy