New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign

Speaker : Erica

2019 / 10 / 20

• Preface
• Introduction of this incident
• Infection chain of Novter
• Conclusion
• Reference

Outline

Preface

What is KovCoreG?

KovCoreG, active since 2011, is a long-running campaign known for using the Kovterbotnet malware, which was distributed mainly through advertisements and exploits kits.

Since 2015, Kovter has been using fraudulent advertising to engage in click fraud operations. The botnet was taken down at the end of 2018 through concerted efforts by law enforcement and cybersecurity experts.

What is Novter?

This virus distributed mainly through advertisements and exploit kits. So it has strong concealment.

After traceability analysis, Novter may have been developed and operated by the operators of the KovCoreG botnet.

Introduction of this incident

While the malvertising attacks were originally focused on U.S.-based users, they have since expanded to several European countries starting this summer.

Main target

Infection chain of Novter

• A module that shows a technical support scam page on the victim’s machine.
• A module that abuses WinDivert to block the communication from processes.
• A module that is written with NodeJS and io for proxying network traffic.

Novter modules

Conclusion

How to prevent ?

Novter also exemplifies fraudsters’ maturing techniques with its use of fileless infection methods and obfuscating its C&C connections and fraud-related traffic.

So users should adopt best practices, especially against socially engineered threats like malvertisements.

Reference

無檔案殭屍病毒Novter透過KovCoreG惡意廣告活動散播

https://blog.trendmicro.com.tw/?p=62259

New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign

https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/