NOPLE belongs to the patch family that modifies the dnsapi.dll file, a module that assists the DNS client service in the Windows operating system. This malware create new HOSTS file that contains both the original HOSTS file values as well as additional prepended hostnames and IP addresses.
The malware will then patch dnsapi.dll file to point it to the newly created HOSTS file. Successively, the dnsapi.dll will refer to the new HOSTS file when attempting to map hostnames to IP addresses.
For further information on PTCH_NOPLE variants that Trend Micro already detects, click here.
Click image to enlarge.
VSAPI Pattern (Malicious File Detection)
| LAYER | DETECTION | PATTERN BRANCH | Release Date |
|---|---|---|---|
| DYNAMIC | PTCH64_NOPLE.SM | ENT 12.283 | 01/19/2016 |
| DYNAMIC | PTCH_NOPLE.D | ENT 12.275 | 01/15/2016 |
| INFECTION | TROJ_NOPLE.SM | ENT 12.145 | 11/11/2015 |
| DYNAMIC | PTCH64_NOPLE.A | ENT 12.123 | 10/31/2015 |
| DYNAMIC | PTCH_NOPLE.SM | ENT12.115 | 10/27/2015 |
| DYNAMIC | PTCH_NOPLE.B | ENT 11.991 | 10/19/2015 |
| DYNAMIC | PTCH_NOPLE.C | ENT 11.991 | 10/19/2015 |
WRS Pattern (Malicious URL and Classification)
| LAYER | Detection | Classification | Release Date |
|---|---|---|---|
| EXPOSURE | d2jyemxz9do7ad.cloudfront{blocked}.net/shopperz_5/update.exe | Disease Vector | 02/18/2016 |
| EXPOSURE | dlnembnfbcpjnepmfjmngjenhhajpdfd{blocked}.s3.amazonaws.com/11/version.txt | Disease Vector | 02/18/2016 |
| EXPOSURE | dlnembnfbcpjnepmfjmngjenhhajpdfd{blocked}.s3.amazonaws.com/12/version.txt | Disease Vector | 02/18/2016 |
| EXPOSURE | dlnembnfbcpjnepmfjmngjenhhajpdfd{blocked}.s3.amazonaws.com/4/version.txt | Disease Vector | 02/18/2016 |
AEGIS Pattern (Behavior Monitoring Pattern)
| LAYER | Detection | Pattern Version | Release Date |
|---|---|---|---|
| DYNAMIC | 1923T (terminate) | TMTD OPR 1537 | 04/26/2016 |
| DYNAMIC | 1923F (feedback) | TMTD OPR 1529 | 04/05/2016 |
DCT Pattern (System Clean Pattern)
| LAYER | Detection | Pattern Version | Released Date |
|---|---|---|---|
| CLEAN-UP | PTCH_NOPLE | DCT OPR 1498 | 03/23/2016 |
| CLEAN-UP | PTCH64_NOPLE | DCT OPR 1498 | 03/23/2016 |
Solution Map - What should customers do?
| Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
|---|---|---|---|---|---|---|---|
| OfficeScan | 10.6 and above | Update Pattern via web console | Update Pattern via web console | Enable Web Reputation Service* | Update Pattern via Web console | Not Applicable | Update Pattern via Web console |
| Worry Free Business Suite | Standard | Not Applicable | |||||
| Advanced/MSA | Update Pattern via web console | ||||||
| Services | Not Applicable | ||||||
| Hosted | Not Applicable | Not Applicable | Update Pattern via web console | ||||
| Deep Security | 8.0 and above | Update Pattern via Web console | Not Applicable | Update Pattern via Web console | |||
| ScanMail | SMEX 10 and later | Not Applicable | Update Pattern via Web console | Not Applicable | |||
| SMD 5 and later | |||||||
| InterScan Messaging | IMSVA 8.0 and above | ||||||
| InterScan Web | IWSVA 6.0 and later | ||||||
| Deep Discovery | DDI 3.0 and later | Not Applicable | Update Pattern via web console |
