'Coyote' Malware Begins Its Hunt, Preying on 61 Banking Apps

We Keep you Connected

'Coyote' Malware Begins Its Hunt, Preying on 61 Banking Apps

Brazil, the world’s center for banking Trojan malware, has produced one of its most advanced tools yet. And as history shows, Coyote may soon expand its territory.
February 8, 2024
Researchers have discovered a novel banking Trojan they dubbed "Coyote," which is hunting for credentials for 61 different online banking applications.
"Coyote," detailed by Kaspersky in an analysis today, is notable both for its broad targeting of banking-sector apps (the majority, for now, in Brazil), and its sophisticated interweaving of different rudimentary and advanced components: a relatively new open source installer called Squirrel; NodeJs; an unsung programming language called "Nim"; and more than a dozen malicious functionalities. In all, it represents a notable evolution in Brazil's thriving market for financial malware — and could spell big trouble down the line for security teams if it expands its focus.
"They've been developing banking Trojans for more than 20 years — they started in the year 2000," Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky, says of Brazilian malware developers. "In 24 years of developing and bypassing new authentication methods and new protection technologies, they've been very creative, and you can see it now with this very new Trojan."
It may be a Brazil-focused threat to consumers for now, but as mentioned, there are clear reasons for organizations to be aware of Coyote. For one, as Assolini warns, "the malware families that had success in tackling the Brazil market in the past have also expanded abroad. That's why corporations and banks must be prepared to deal with it."
And another reason for security teams to pay attention to the emergence of new banking Trojans is their history of evolving into fully fledged initialaccess Trojans and backdoors; this was the case with Emotet and Trickbot, for instance, and more recently, QakBot and Ursinif.
Coyote has functionality in the wings to follow suit: It can execute a range of commands, including directives to take screenshots, log keystrokes, kill processes, shut down the machine, and move its cursor. It can also outright freeze the machine with a fake "Working on updates …" overlay.
So far in its attacks, Coyote behaves like any other modern banking Trojan: When a compatible app is triggered on an infected machine, the malware pings an attacker-controlled command-and-control (C2) server displays an appropriate phishing overlay on the victim's screen in order to capture a user's login information. Coyote stands out most, though, for how it combats potential detections.
Most banking Trojans utilize Windows Installers (MSI), Kaspersky noted in its blog post, making them an easy red flag for cybersecurity defenders. That's why Coyote opts for Squirrel, a legitimate open source tool for installing and updating Windows desktop apps. Using Squirrel, Coyote attempts to mask its malicious initial stage loader as a perfectly honest update packager.
>Its final stage loader is even more unique, as it's written in a relatively niche programming language called "Nim." This is the very first banking Trojan Kaspersky has identified using Nim.
"Most of the old banking Trojans were written in Delphi, which is quite old and utilized across a lot of families. So over the years, the detection of Delphi malware got very good, and the efficiency of infections was slowing down over the years," Assolini explains. With Nim, "they have a more modern language to program with new features and a low rate of detection by security software."
If Coyote has to do so much to distinguish itself, it's because the world's fifth-largest nation has in recent years become the world's premier hub for banking malware.
And for as much as they terrorize Brazilians, these programs also have a habit of crossing bodies of water.
"These guys are very experienced in developing banking Trojans, and they're eager to expand their attacks worldwide," Assolini emphasizes. "Right now, we can find Brazilian bank Trojans attacking companies and people as far away as Australia and Europe. This week, a member of my team found a new version of one in Italy."
To demonstrate the potential future for a tool like Coyote, Assolini points to Grandoreiro, a similar Trojan that made serious inroads into Mexico and Spain but also well beyond. By the end of last fall, he says, it had reached a total of 41 countries.
A byproduct of that success, however, was increased scrutiny from law enforcement. In a step toward disrupting its free-flowing cyber underground for this kind of malware, Brazilian police made a rare move: They executed five temporary arrest warrants and 13 search and seizure warrants, for the architects behind Grandoreiro across five Brazilian states.
"The problem in Brazil is they don't have very good local law enforcement for punishing these attackers. It works better when you have an entity outside of the country applying some pressure, as happened with Granadoreiro, when the police and banks in Spain were pressuring Brazilian federal police to catch these guys," Assolini says.
So, he concludes, "they're getting better, but there's a long way to go, because a lot of cybercriminals are still free [in Brazil] and committing lots of attacks worldwide."
Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.
You May Also Like
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
Making Sense of Security Operations Data
Your Everywhere Security Guide: 4 Steps to Stop Cyberattacks
API Security: Protecting Your Application’s Attack Surface
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
Proven Success Factors for Endpoint Security
Threat Terrain of the Modern Factory: Survey of Programmable Assets and Robot Software
Pixelle’s OT Security Triumph with Security Inspection
Migrations Playbook for Saving Money with Snyk + AWS
Buyer’s Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
2023 Software Supply Chain Attack Report
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.