{
	"id": "02a8954e-9ab7-46f9-9ac9-a95d603eca6a",
	"created_at": "2026-04-10T03:21:29.746552Z",
	"updated_at": "2026-04-10T03:22:17.619085Z",
	"deleted_at": null,
	"sha1_hash": "3528044afee7723584c04479ff16a19234b689cb",
	"title": "Fileless Botnet Novter Spread Via KovCoreG Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87107,
	"plain_text": "Fileless Botnet Novter Spread Via KovCoreG Campaign\r\nBy Jaromir Horejsi, Joseph C Chen, Ecular Xu ( words)\r\nPublished: 2019-10-01 · Archived: 2026-04-10 02:48:24 UTC\r\nWe found a new modular fileless botnet malware, which we named “Novter,” (also reported and known as\r\n“Nodersok” and “Divergent”) that the KovCoreG campaign has been distributing since March. We’ve been\r\nactively monitoring this threat since its emergence and early development, and saw it being frequently updated.\r\nKovCoreG, active since 2011, is a long-running campaign known for using the Kovternews- cybercrime-and-digital-threats botnet malware, which was distributed mainly through malvertisements and exploit kits. Kovter has\r\nbeen involved in click fraud operations since 2015, using fraudulent ads that have reportedly cost businesses more\r\nthan US$29 million. The botnet was taken down at the end of 2018 through concerted efforts by law enforcement\r\nand cybersecurity experts, including Trend Micro.\r\nThe dismantlement hasn’t deterred the cybercriminals. Though the botnet is dead, we noticed that the KovCoreG\r\ncampaign didn’t stop their activities and instead developed another botnet. Working with ProofPoint’s threat\r\nresearcher Kafeine, we were able to uncover a new fileless botnet malware — Novter — being distributed by the\r\noperators of KovCoreG.\r\nWhile the malvertising attacks were originally focused on U.S.-based users, they have since expanded to several\r\nEuropean countries starting this summer. Our telemetry also revealed that the malvertising attacks were being\r\ndistributed through a few of top 100 websites in the U.S., which were also abused by Kovter in their previous\r\nactivities. Our analysis of Novter, particularly its most notable modules, are detailed in this technical briefopen on\r\na new tab.\r\nintelFigure 1. Infection chain of KovCoreG, Novter, and Nodster\r\nKovCoreG’s attack chain\r\nKovCoreG’s attacks are socially engineered malvertisments that lure unwitting users into downloading a software\r\npackage needed to update their supposedly out-of-date Adobe Flash application. However, it instead drops a\r\nmalicious HTML application (HTA) file named Player{timestamp}.hta. When the victim executes the HTA file, it\r\nwill load additional scripts from a remote server (communication is RC4-encrypted) and run a PowerShell script\r\nthat appears to take inspiration from the open-source Invoke-PSInject project.\r\nintelFigure 2. Screenshot showing an example of KovCoreG’s malvertisements (captured by ProofPoint)\r\nintelFigure 3. Snapshot of KovCoreG’s malvertisement traffic (captured by ProofPoint)\r\nThe PowerShell script, in turn, will disable Windows Defender and Windows Update processes. It runs a shellcode\r\nto bypass User Account Control (UAC) via the CMSTPLUA COM interface (related to connection management).\r\nThe PowerShell script is also embedded with Novter, which will be executed filelesslynews article via the\r\nPowerShell reflective injection technique.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/\r\nPage 1 of 4\n\nAnalysis of the Novter malware\r\nNovter is a backdoor in the form of an executable file. Immediately after its execution, it performs the following\r\nanti-debugging and anti-analysis checks:\r\nSearching for blacklisted processes and modules by comparing the CRC32 algorithms of their names with\r\na list of hardcoded CRC32s\r\nChecking if the number of cores is too small\r\nChecking if the process is being debugged\r\nChecking if the Sleep function is being manipulated\r\nIf it finds any of aforementioned information, it is then reported to the C\u0026C server. Note that it uses different sets\r\nof C\u0026C servers for different purposes. One set, for instance, is solely used for anti-analysis reporting. After the\r\naffected machine’s environment is double-checked and reported, the malware goes to sleep for a long time.\r\nThe backdoor commands that Novter supports are:\r\nkillall — Terminate a process and delete a file (for all modules)\r\nkill — Terminate a process and delete a file (for a specific module)\r\nstop — Terminate the process without deleting its file (for a specific module)\r\nresume — Start a process (for a specific module)\r\nmodules — Download and execute an additional module\r\nupdate — Download a new version and install the update\r\nupdate_interval — Set an interval between two consecutive update attempts\r\nNovter communicates with its command-and-control (C\u0026C) servers and downloads multiple JavaScript modules\r\nfor different purposes. We have identified three Novter modules, which include:\r\nA module that shows a technical support scam page on the victim’s machine\r\nA module that abuses WinDivert (Windows packet divert, a tool that enables network packets sent to and\r\nfrom Windows network stacks to be captured, modified, or dropped) to block the communication from\r\nprocesses like those from antivirus (AV) software\r\nA module (which we named “Nodster”) that is written with NodeJS and io for proxying network traffic. We\r\nconsider it a module responsible for building the proxy network needed to support the click fraud\r\noperations.\r\nAnalysis of Novter’s module “Nodster”\r\nDuring our analysis of Novter, we came across three notable modules downloaded by the malware. One of them,\r\nwhich we named “Nodster,” is a network proxy module. The module installs NodeJS on the victim’s machine and\r\nexecutes a NodeJS script “app.js” in the background. The script will connect to an embedded C\u0026C server address\r\nand receive the second C\u0026C server address.\r\nIt will then establish a backconnection to the second C\u0026C server with the socket.io protocol. The second C\u0026C\r\nserver will return commands to instruct the module to make a TCP connection, send a TCP payload, and return the\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/\r\nPage 2 of 4\n\nresponse from the server back to them. This turns the system infected with Novter become a proxy for the attacker\r\nto use.\r\nintelFigure 4. The communication flow between the Nodster proxy and C\u0026C servers\r\nCorrelating Nodster’s traffic\r\nDuring the course of our research, we observed lots of encrypted traffic proxied through the Nodster module, but\r\nwe managed to decrypt some of it, which showed scripts used for web advertising. This indicates that the C\u0026C\r\nserver instructed the infected machine to open a website with an embedded JavaScript code related to displaying\r\nadvertisements.\r\nWe also noticed that the ad traffic appeared to have been sent from Android devices, since the HTTP(S) requests\r\ntransferred through the proxy had HTTP User-Agent headers from Android devices. These requests are appended\r\nwith a “X-Requested-With” header with many Android app names. We inspected those apps on the Google Play\r\nstore because we initially thought that the traffic could have been generated by these applications. However, we\r\ndid not find any suspicious code in these applications that would have generated this traffic. We didn’t find any\r\nsimilar code shared between these Android applications either.\r\nintel\r\nFigure 5. The HTTPS request header spoofed to be from an Android device\r\nWith this finding, we inferred that the ad traffic was not coming from the mobile devices, but was instead being\r\ngenerated by the attacker. The attacker disguised the traffic to appear as if it was being sent from Android devices\r\nand mobile applications and proxied them through the Novter/Nodster botnet. After all, KovCoreG’s operations\r\ninvolved click fraud.\r\nDefending against Novter\r\nAdvertisements are an innocuous online staple, but KovCoreG’s campaign demonstrates how they can be\r\nintrusive, not to mention how Novter can expose the user’s system to other and actual threats. Given how\r\nKovCoreG engages in click fraud, it can significantly affect businesses. A single mobile ad fraudnews article\r\nincident in 2018, for instance, cost Google and its partners around US$10 million in losses.\r\nNovter also exemplifies fraudsters’ maturing techniques with its use of fileless infection methods and obfuscating\r\nits C\u0026C connections and fraud-related traffic. Users, for their part, should adopt best practices, especially against\r\nsocially engineered threats like malvertisementsnews- cybercrime-and-digital-threats.\r\nTrend Micro endpoint solutions, such as the Smart Protection Suitesproducts and Worry-Free Business Security\r\nthat have behavior monitoring capabilities, can protect users and businesses from threats like Emotet by detecting\r\nmalicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro Apex\r\nOneproducts™ protection employs a variety of threat detection capabilities such as behavioral analysis, which\r\nprotect against malicious scripts, injection, ransomware, memory and browser attacks.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/\r\nPage 3 of 4\n\nThe full details of our research on Novter is in this technical briefopen on a new tab, while the indicators of\r\ncompromise (IoCs) are in this appendixopen on a new tab.\r\nHat tip to ProofPoint’s researcher Kafeine whom we worked with in this research.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaig\r\nn/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/"
	],
	"report_names": [
		"new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775791289,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3528044afee7723584c04479ff16a19234b689cb.pdf",
		"text": "https://archive.orkl.eu/3528044afee7723584c04479ff16a19234b689cb.txt",
		"img": "https://archive.orkl.eu/3528044afee7723584c04479ff16a19234b689cb.jpg"
	}
}