Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on PTCH_NOPLE

    • Updated:
    • 3 Sep 2018
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Hosted Email Security 2.0
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 8.0 2000/2003/2007
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Trend Micro Email Security 1.0
    • Worry-Free Business Security Services 5.8
    • Worry-Free Business Security Services 6.1
    • Worry-Free Business Security Services 6.2
    • Worry-Free Business Security Services 6.3
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

NOPLE belongs to the patch family that modifies the dnsapi.dll file, a module that assists the DNS client service in the Windows operating system. This malware create new HOSTS file that contains both the original HOSTS file values as well as additional prepended hostnames and IP addresses.

The malware will then patch dnsapi.dll file to point it to the newly created HOSTS file. Successively, the dnsapi.dll will refer to the new HOSTS file when attempting to map hostnames to IP addresses.

For further information on PTCH_NOPLE variants that Trend Micro already detects, click here.

NOPLE Infection Chain

Click image to enlarge.

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN BRANCHRelease Date
DYNAMICPTCH64_NOPLE.SMENT 12.28301/19/2016
DYNAMICPTCH_NOPLE.DENT 12.27501/15/2016
INFECTIONTROJ_NOPLE.SMENT 12.14511/11/2015
DYNAMICPTCH64_NOPLE.AENT 12.12310/31/2015
DYNAMICPTCH_NOPLE.SMENT12.11510/27/2015
DYNAMICPTCH_NOPLE.BENT 11.99110/19/2015
DYNAMICPTCH_NOPLE.CENT 11.99110/19/2015

WRS Pattern (Malicious URL and Classification)

LAYERDetectionClassificationRelease Date
EXPOSUREd2jyemxz9do7ad.cloudfront{blocked}.net/shopperz_5/update.exeDisease Vector02/18/2016
EXPOSUREdlnembnfbcpjnepmfjmngjenhhajpdfd{blocked}.s3.amazonaws.com/11/version.txtDisease Vector02/18/2016
EXPOSUREdlnembnfbcpjnepmfjmngjenhhajpdfd{blocked}.s3.amazonaws.com/12/version.txtDisease Vector02/18/2016
EXPOSUREdlnembnfbcpjnepmfjmngjenhhajpdfd{blocked}.s3.amazonaws.com/4/version.txtDisease Vector02/18/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDetectionPattern VersionRelease Date
DYNAMIC1923T (terminate)TMTD OPR 153704/26/2016
DYNAMIC1923F (feedback)TMTD OPR 152904/05/2016

DCT Pattern (System Clean Pattern)

LAYERDetectionPattern VersionReleased Date
CLEAN-UPPTCH_NOPLEDCT OPR 149803/23/2016
CLEAN-UPPTCH64_NOPLEDCT OPR 149803/23/2016
 
Make sure to always use the latest pattern available to detect the old and new variants of PTCH_NOPLE.
Details
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan10.6 and above









Update Pattern via web console



Update Pattern via web console









Enable Web Reputation Service*



Update Pattern via Web console


Not Applicable		Update Pattern via Web console
Worry Free Business SuiteStandard



Not Applicable
Advanced/MSAUpdate Pattern via web console
ServicesNot Applicable
Hosted






Not Applicable		Not ApplicableUpdate Pattern via web console
Deep Security8.0 and aboveUpdate Pattern via Web consoleNot ApplicableUpdate Pattern via Web console
ScanMailSMEX 10 and later




Not Applicable



Update Pattern via Web console



Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and laterNot ApplicableUpdate Pattern via web console
 
* Refer to the Product Administrator’s Guide on how to enable the Web Reputation services feature.

Related reports

Premium
Internal
Rating:
Category:
Troubleshoot; SPEC
Solution Id:
1114356
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.