Coyote Malware Begins Its Hunt, Preying on 61 Banking Apps

  /     /     /  
Publicated : 23/11/2024   Category : security


Coyote Malware Begins Its Hunt, Preying on 61 Banking Apps


Brazil, the worlds center for banking Trojan malware, has produced one of its most advanced tools yet. And as history shows, Coyote may soon expand its territory.



Researchers have discovered a novel banking Trojan they dubbed Coyote, which is hunting for credentials for 61 different online banking applications.

Coyote, detailed by Kaspersky in an analysis
today, is notable both for its broad targeting of banking-sector apps (the majority, for now, in Brazil), and its sophisticated interweaving of different rudimentary and advanced components: a relatively new open source installer called Squirrel; NodeJs; an unsung programming language called Nim; and more than a dozen malicious functionalities. In all, it represents a notable evolution in Brazils thriving market for financial malware — and could spell big trouble down the line for security teams if it expands its focus.
Theyve been developing banking Trojans for more than 20 years — they started in the year 2000, Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky, says of Brazilian malware developers. In 24 years of developing and bypassing new authentication methods and new protection technologies, theyve been very creative, and you can see it now with this very new Trojan.
It may be a Brazil-focused threat to consumers for now, but as mentioned, there are clear reasons for organizations to be aware of Coyote. For one, as Assolini warns, the malware families that had success in tackling the Brazil market in the past have also expanded abroad. Thats why corporations and banks must be prepared to deal with it.
And another reason for security teams to pay attention to the emergence of new banking Trojans is their history of
evolving into fully fledged initialaccess Trojans
and backdoors; this was the case with Emotet and
Trickbot
,
for instance
, and more recently,
QakBot
and
Ursinif
.
Coyote has functionality in the wings to follow suit: It can execute a range of commands, including directives to take screenshots, log keystrokes, kill processes, shut down the machine, and move its cursor. It can also outright freeze the machine with a fake Working on updates … overlay.
So far in its attacks, Coyote behaves like any other modern banking Trojan: When a compatible app is triggered on an infected machine, the malware pings an attacker-controlled command-and-control (C2) server displays an appropriate phishing overlay on the victims screen in order to capture a users login information. Coyote stands out most, though, for how it combats potential detections.
Most banking Trojans utilize Windows Installers (MSI), Kaspersky noted in its blog post, making them an easy red flag for cybersecurity defenders. Thats why Coyote opts for
Squirrel, a legitimate open source tool
for installing and updating Windows desktop apps. Using Squirrel, Coyote attempts to mask its malicious initial stage loader as a perfectly honest update packager.
>Its final stage loader is even more unique, as its written in a relatively niche programming language called Nim. This is the very first banking Trojan Kaspersky has identified using Nim.
Most of the old banking Trojans were written in Delphi, which is quite old and utilized across a lot of families. So over the years, the detection of Delphi malware got very good, and the efficiency of infections was slowing down over the years, Assolini explains. With Nim, they have a more modern language to program with new features and a low rate of detection by security software.
If Coyote has to do so much to distinguish itself, its because the worlds fifth-largest nation has in recent years become the worlds premier hub for banking malware.
And for as much as they terrorize Brazilians, these programs also have a habit of
crossing bodies of water
.
These guys are very experienced in developing banking Trojans, and theyre eager to expand their attacks worldwide, Assolini emphasizes. Right now, we can find Brazilian bank Trojans attacking companies and people as far away as Australia and Europe. This week, a member of my team found a new version of one in Italy.
To demonstrate the potential future for a tool like Coyote, Assolini points to
Grandoreiro, a similar Trojan
that made serious inroads into Mexico and Spain but also well beyond. By the end of last fall, he says, it had reached a total of 41 countries.
A byproduct of that success, however, was
increased scrutiny from law enforcement
. In a step toward disrupting its free-flowing cyber underground for this kind of malware, Brazilian police made a rare move: They executed five temporary arrest warrants and 13 search and seizure warrants, for the architects behind Grandoreiro across five Brazilian states.
The problem in Brazil is they dont have very good local law enforcement for punishing these attackers. It works better when you have an entity outside of the country applying some pressure, as happened with Granadoreiro, when the police and banks in Spain were pressuring Brazilian federal police to catch these guys, Assolini says.
So, he concludes, theyre getting better, but theres a long way to go, because a lot of cybercriminals are still free [in Brazil] and committing lots of attacks worldwide.

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Coyote Malware Begins Its Hunt, Preying on 61 Banking Apps