We found a new modular fileless botnet malware, which we named “Novter,” (also reported and known as “Nodersok” and “Divergent”) that the KovCoreG campaign has been distributing since March. We’ve been actively monitoring this threat since its emergence and early development, and saw it being frequently updated. KovCoreG, active since 2011, is a long-running campaign known for using the Kovter botnet malware, which was distributed mainly through malvertisements and exploit kits. Kovter has been involved in click fraud operations since 2015, using fraudulent ads that have reportedly cost businesses more than US$29 million. The botnet was taken down at the end of 2018 through concerted efforts by law enforcement and cybersecurity experts, including Trend Micro.

The dismantlement hasn’t deterred the cybercriminals. Though the botnet is dead, we noticed that the KovCoreG campaign didn’t stop their activities and instead developed another botnet. Working with ProofPoint’s threat researcher Kafeine, we were able to uncover a new fileless botnet malware — Novter — being distributed by the operators of KovCoreG.