Coyote Banking Trojan
Researchers recently unearthed a unique banking Trojan named 'Coyote,' designed to harvest credentials for 61 online banking applications. What sets the Coyote threat apart is its extensive targeting of banking-sector apps, with the majority concentrated in Brazil. This Trojan stands out for its intricate combination of basic and advanced components. Specifically, it employs a relatively new open-source installer called Squirrel, relies on NodeJs, utilizes the less common programming language 'Nim,' and boasts over a dozen harmful functionalities. This discovery signifies a noteworthy advancement in Brazil's flourishing market for financial malware, potentially posing significant challenges for security teams should its focus expand further.
Table of Contents
Brazilian Cybercriminals Have Been Focused on Banking Trojan Threats
Brazilian malware developers have been actively crafting banking Trojans for over two decades, dating back to at least 2000. Throughout 24 years of continuous development, where they have adeptly navigated and overcome evolving authentication methods and protection technologies, their creativity is evident, as exemplified by the emergence of the latest Trojan.
While experts currently highlight Coyote as a threat primarily focused on Brazilian consumers, organizations have compelling reasons to monitor its potential capabilities closely. Past trends indicate that malware families successful in the Brazilian market often extend their reach internationally. Therefore, corporations and banks must be vigilant and prepared to address Coyote should its impact broaden.
Another crucial consideration for security teams lies in the historical progression of banking Trojans evolving into fully-fledged initial access Trojans and backdoors. Notable instances include the transformations of Emotet and Trickbot and, more recently, QakBot and Ursinif. This pattern underscores the importance of paying attention to the emergence of new banking Trojans, as they could potentially evolve into more sophisticated threats.
The Coyote Banking Trojan is Equipped with a Diver Full of Harmful Capabilities
Coyote exhibits an enhanced range of functionalities, allowing it to carry out diverse commands such as capturing screenshots, logging keystrokes, terminating processes, shutting down the machine, and manipulating the cursor. Notably, it can also induce a machine freeze by overlaying a deceptive 'Working on updates…' screen.
In its general behavior, Coyote adheres to the typical pattern of a modern banking Trojan. Upon activation of a compatible app on an infected system, the malware communicates with an attacker-controlled Command-and-Control (C2) server. It then presents a convincing phishing overlay on the victim's screen to capture login information. However, Coyote distinguishes itself through its adept evasion tactics against potential detections.
Unlike many banking Trojans that utilize Windows Installers (MSI), easily detectable by cybersecurity defenders, Coyote opts for Squirrel. Squirrel is a legitimate open-source tool designed for installing and updating Windows desktop apps. By leveraging Squirrel, Coyote endeavors to camouflage its malicious initial stage loader, presenting it as a seemingly harmless update packager.
The final stage loader adds another layer of uniqueness, being coded in the relatively uncommon programming language 'Nim.' This marks one of the first instances where a banking Trojan has been observed using Nim.
Traditionally, banking Trojans have been predominantly written in Delphi, an older language widely employed across various malware families. As detection methods for Delphi malware have improved over the years, the efficiency of infections gradually declined. With the adoption of Nim, Coyote's developers embrace a more modern programming language, incorporating new features and achieving a lower detection rate by security software.
Banking Trojans Have Spread to Become a Global Operation
In recent years, Brazil has emerged as a global epicenter for banking malware. Despite originating in Brazil, these threatening programs have demonstrated the capability to traverse oceans and continents. The adept operators behind these threats possess extensive experience in developing banking Trojans and exhibit a keen interest in expanding their attacks on a global scale. Consequently, researchers have observed instances of Brazilian bank Trojans targeting entities and individuals as far-reaching as Australia and Europe.
One noteworthy example is Grandoreiro, a Trojan with similar characteristics that successfully infiltrated not only Mexico and Spain but also extended its reach well beyond those borders. At its peak, this threat had a presence in a total of 41 countries.
However, the success of these operations attracted heightened scrutiny from law enforcement. In a notable move aimed at disrupting the cyber underground ecosystem facilitating such malware, Brazilian police executed five temporary arrest warrants and 13 search and seizure warrants targeting the individuals responsible for Grandoreiro across five states in Brazil.
