Emerging Threat on PTCH

Emerging Threat on PTCH_NOPLE

- Updated:
- 25 Apr 2019
- Product/Version:
- Deep Security 8.0
- Deep Security 9.0
- Deep Security 9.5
- Deep Security 9.6
- Hosted Email Security 2.0
- InterScan Messaging Security Virtual Appliance 8.2
- InterScan Messaging Security Virtual Appliance 8.5
- InterScan Messaging Security Virtual Appliance 9.0
- InterScan Messaging Security Virtual Appliance 9.1
- InterScan Web Security Virtual Appliance 5.6
- InterScan Web Security Virtual Appliance 6.0
- OfficeScan 10.6
- OfficeScan 11.0
- ScanMail for Exchange 10.2
- ScanMail for Exchange 8.0 2000/2003/2007
- ScanMail for Lotus Domino 5.0 AIX
- ScanMail for Lotus Domino 5.0 Windows
- ScanMail for Lotus Domino 5.0 zLinux
- Trend Micro Email Security 1.0
- Worry-Free Business Security Services 5.8
- Worry-Free Business Security Services 6.1
- Worry-Free Business Security Services 6.2
- Worry-Free Business Security Services 6.3
- Worry-Free Business Security Services 6.5
- Worry-Free Business Security Standard/Advanced 9.0
- Platform:
- N/A N/A

Summary

NOPLE belongs to the patch family that modifies the dnsapi.dll file, a module that assists the DNS client service in the Windows operating system. This malware create new HOSTS file that contains both the original HOSTS file values as well as additional prepended hostnames and IP addresses.

The malware will then patch dnsapi.dll file to point it to the newly created HOSTS file. Successively, the dnsapi.dll will refer to the new HOSTS file when attempting to map hostnames to IP addresses.

For further information on PTCH_NOPLE variants that Trend Micro already detects, click here.

Click image to enlarge.

VSAPI Pattern (Malicious File Detection)

LAYER	DETECTION	PATTERN BRANCH	Release Date
DYNAMIC	PTCH64_NOPLE.SM	ENT 12.283	01/19/2016
DYNAMIC	PTCH_NOPLE.D	ENT 12.275	01/15/2016
INFECTION	TROJ_NOPLE.SM	ENT 12.145	11/11/2015
DYNAMIC	PTCH64_NOPLE.A	ENT 12.123	10/31/2015
DYNAMIC	PTCH_NOPLE.SM	ENT12.115	10/27/2015
DYNAMIC	PTCH_NOPLE.B	ENT 11.991	10/19/2015
DYNAMIC	PTCH_NOPLE.C	ENT 11.991	10/19/2015

WRS Pattern (Malicious URL and Classification)

LAYER	Detection	Classification	Release Date
EXPOSURE	d2jyemxz9do7ad.cloudfront{blocked}.net/shopperz_5/update.exe	Disease Vector	02/18/2016
EXPOSURE	dlnembnfbcpjnepmfjmngjenhhajpdfd{blocked}.s3.amazonaws.com/11/version.txt	Disease Vector	02/18/2016
EXPOSURE	dlnembnfbcpjnepmfjmngjenhhajpdfd{blocked}.s3.amazonaws.com/12/version.txt	Disease Vector	02/18/2016
EXPOSURE	dlnembnfbcpjnepmfjmngjenhhajpdfd{blocked}.s3.amazonaws.com/4/version.txt	Disease Vector	02/18/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYER	Detection	Pattern Version	Release Date
DYNAMIC	1923T (terminate)	TMTD OPR 1537	04/26/2016
DYNAMIC	1923F (feedback)	TMTD OPR 1529	04/05/2016

DCT Pattern (System Clean Pattern)

LAYER	Detection	Pattern Version	Released Date
CLEAN-UP	PTCH_NOPLE	DCT OPR 1498	03/23/2016
CLEAN-UP	PTCH64_NOPLE	DCT OPR 1498	03/23/2016

Make sure to always use the latest pattern available to detect the old and new variants of PTCH_NOPLE.

Details

Solution Map - What should customers do?

Major Products	Versions	Virus Pattern	Behavior Monitoring	Web Reputation	DCT Pattern	Antispam Pattern	Network Pattern
OfficeScan	10.6 and above	Update Pattern via web console	Update Pattern via web console	Enable Web Reputation Service*	Update Pattern via Web console	Not Applicable	Update Pattern via Web console
Worry Free Business Suite	Standard					Not Applicable	Not Applicable
	Advanced/MSA					Update Pattern via web console
	Services					Not Applicable
	Hosted		Not Applicable		Not Applicable	Update Pattern via web console
Deep Security	8.0 and above				Update Pattern via Web console	Not Applicable	Update Pattern via Web console
ScanMail	SMEX 10 and later				Not Applicable	Update Pattern via Web console	Not Applicable
ScanMail	SMD 5 and later
InterScan Messaging	IMSVA 8.0 and above
InterScan Web	IWSVA 6.0 and later
Deep Discovery	DDI 3.0 and later					Not Applicable	Update Pattern via web console

* Refer to the Product Administrator’s Guide on how to enable the Web Reputation services feature.

Related reports

Rating:

Category:

Troubleshoot; SPEC

Solution Id:

1114356

Feedback

Did this article help you?

Thank you for your feedback!

What was the problem with this article?

The image(s) in the article did not display properly.

The article did not provide detailed procedure.

The article is hard to understand and follow.

The video did not play properly.

The article did not resolve my issue.

Others. Please specify.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

Thanks for voting.