New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign
Speaker : Erica
2019 / 10 / 20
- Preface
- Introduction of this incident
- Infection chain of Novter
- Conclusion
- Reference
Outline
Preface
What is KovCoreG?
KovCoreG, active since 2011, is a long-running campaign known for using the Kovterbotnet malware, which was distributed mainly through advertisements and exploits kits.
Since 2015, Kovter has been using fraudulent advertising to engage in click fraud operations. The botnet was taken down at the end of 2018 through concerted efforts by law enforcement and cybersecurity experts.
What is Novter?
This virus distributed mainly through advertisements and exploit kits. So it has strong concealment.
After traceability analysis, Novter may have been developed and operated by the operators of the KovCoreG botnet.
Introduction of this incident
While the malvertising attacks were originally focused on U.S.-based users, they have since expanded to several European countries starting this summer.
Main target
Infection chain of Novter
- A module that shows a technical support scam page on the victim’s machine.
- A module that abuses WinDivert to block the communication from processes.
- A module that is written with NodeJS and io for proxying network traffic.
Novter modules
Conclusion
How to prevent ?
Novter also exemplifies fraudsters’ maturing techniques with its use of fileless infection methods and obfuscating its C&C connections and fraud-related traffic.
So users should adopt best practices, especially against socially engineered threats like malvertisements.
Reference
無檔案殭屍病毒Novter透過KovCoreG惡意廣告活動散播
https://blog.trendmicro.com.tw/?p=62259
New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign
Thanks for listening.