Feb 03, 2025Ravie LakshmananFinancial Security / MalwareBrazilian Windows users are the target of a campaign that delivers a banking malware known as Coyote."Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials," Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published last week.The cybersecurity company said it discovered over the past month several Windows Shortcut (LNK) file artifacts that contain PowerShell commands responsible for delivering the malware.Coyote was first documented by Kaspersky in early 2024, detailing its attacks targeting users in the South American nation. It's capable of harvesting sensitive information from over 70 financial applications.In the previous attack chain documented by the Russian cybersecurity firm, a Squirrel installer executable is used to trigger a Node.js application compiled with Electron, that, for its part, runs a Nim-based loader to trigger the execution of the malicious Coyote payload.The latest infection sequence, on the other hand, commences with an LNK file that executes a PowerShell command to retrieve the next-stage from a remote server ("tbet.geontrigame[.]com"), another PowerShell script that launches a loader responsible for executing an interim payload."The injected code leverages Donut, a tool designed to decrypt and execute the final MSIL (Microsoft Intermediate Language) payloads," Lin said. "The decrypted MSIL execution file first establishes persistence by modifying the registry at 'HCKU\Software\Microsoft\Windows\CurrentVersion\Run.'""If found, it removes the existing entry and creates a new one with a randomly generated name. This new registry entry contains a customized PowerShell command pointing to download and execute a Base64-encoded URL, which facilitates the main functions of the Coyote banking trojan."The malware, once launched, gathers basic system information and the list of installed antivirus products on the host, after which the data is Base64-encoded and exfiltrated to a remote server. It also performs various checks to evade detection by sandboxes and virtual environments.A notable change in the latest iteration of Coyote is the expansion of its target list to encompass 1,030 sites and 73 financial agents, such as mercadobitcoin.com.br, bitcointrade.com.br, foxbit.com.br, augustoshotel.com.br, blumenhotelboutique.com.br, and fallshotel.com.br.Should the victim attempt to access any one of the sites in the list, the malware contacts an attacker-controlled server to determine the next course of action, which can range from capturing a screenshot to serving overlays. Some of the other functions include displaying activating a keylogger and manipulating display settings."Coyote's infection process is complex and multi-staged," Lin said. "This attack leveraged an LNK file for initial access, which subsequently led to the discovery of other malicious files. This Trojan poses a significant threat to financial cybersecurity, particularly because it has the potential to expand beyond its initial targets."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE