What is KovCoreG?

KovCoreG, active since 2011, is a long-running campaign known for using the Kovterbotnet malware, which was distributed mainly through advertisements and exploits kits.

Since 2015, Kovter has been using fraudulent advertising to engage in click fraud operations. The botnet was taken down at the end of 2018 through concerted efforts by law enforcement and cybersecurity experts.

What is Novter?

This virus distributed mainly through advertisements and exploit kits. So it has strong concealment.

After traceability analysis, Novter may have been developed and operated by the operators of the KovCoreG botnet.

While the malvertising attacks were originally focused on U.S.-based users, they have since expanded to several European countries starting this summer.

Main target

• A module that shows a technical support scam page on the victim’s machine.
• A module that abuses WinDivert to block the communication from processes.
• A module that is written with NodeJS and io for proxying network traffic.

Novter modules

How to prevent ?

Novter also exemplifies fraudsters’ maturing techniques with its use of fileless infection methods and obfuscating its C&C connections and fraud-related traffic.

So users should adopt best practices, especially against socially engineered threats like malvertisements.

無檔案殭屍病毒Novter透過KovCoreG惡意廣告活動散播

https://blog.trendmicro.com.tw/?p=62259

New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign

https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/