Beware, Brazil! “Coyote” Trojan Stalks Your Bank Accounts

Specialists at Kaspersky Lab have uncovered the Coyote banking trojan, targeting users of over 60 financial institutions, predominantly in Brazil. This malware distinguishes itself through a complex infection chain that employs various advanced technologies, setting Coyote apart from other banking trojans.

Coyote spreads using the open-source installer Squirrel, incorporating NodeJS and the relatively new cross-platform programming language Nim to complete the infection. This reflects a trend among cybercriminals towards utilizing less popular and cross-platform languages to evade detection.

The trojan employs the Squirrel tool for installing and updating Windows applications, disguising its initial loader as an update. A NodeJS script executed via Squirrel runs obfuscated JavaScript code, which transfers all executable files from a local folder to a user’s folder, then launches a signed application from this directory, delivering its payload through DLL Sideloading.

Notably, the final stage of the trojan is downloaded using Nim, aimed at unpacking and executing a .NET executable in memory. Thus, the trojan achieves persistence by using an entry point activated with each computer reboot.

Despite the absence of code obfuscation, Coyote uses string obfuscation with AES encryption to further conceal its activities. To decrypt strings, the trojan generates a table from data encoded in base64, using a randomly generated key and official .NET encryption interfaces.

To maintain activity, Coyote exploits Windows login scripts, checking for and inserting in the registry the path to the signed application. The trojan’s goal is to monitor the victim’s applications, waiting for access to a banking app or website.

Upon activation of a banking application, the trojan communicates with a Command and Control Server (C2) using SSL channels with mutual authentication and transmits collected information, including the machine name, GUID, and the banking application used. In response, the server can send commands for various actions, including keylogging and screenshot capture. Additionally, Coyote requests PIN codes for bank cards and displays phishing pages to collect user credentials.

Telemetry data shows that approximately 90% of Coyote infections are in Brazil, significantly impacting the region’s financial cybersecurity.

Coyote represents a significant shift in the development of banking trojans, showcasing a move towards the use of modern technologies and programming languages. This program highlights the growing sophistication in the threat landscape and the adaptation of malefactors to current languages and tools for their cyber campaigns.