“Coyote” Trojan Strikes Brazil’s Banks, Experts Warn of Next-Gen Threat

by do son · April 12, 2024

A potent new banking trojan dubbed “Coyote” is sweeping through Brazil’s financial sector, prompting urgent warnings from cybersecurity researchers. This sophisticated malware, discovered by Seqrite, represents a troubling leap in the evolution of cybercrime targeting financial institutions.

Coyote’s cunning lies in its abuse of a legitimate Windows update tool – Squirrel Installer – to disguise its malicious payload. Once installed, it operates stealthily in memory, making detection by antivirus software more difficult.

The core of Coyote’s payload is crafted in .NET, utilizing the Common Language Runtime (CLR) to execute decrypted assemblies directly from memory. This method not only helps it avoid triggering antivirus systems but also complicates the process of forensic analysis.

Seqrite’s analysis revealed that the trojan’s dynamic link libraries (DLLs) display uniform behavior across various exports, pointing towards a singular, malicious intent. Deep dives into the DLLs exposed MSIL (Microsoft Intermediate Language) payloads loaded in memory, subsequently dumped and dissected for further scrutiny. The static examination of these MSIL files unveiled a series of base64 encoded strings, intricately AES-obfuscated to shield the true nature of the executable code.

These encrypted segments employ a dual-array method for decryption, where the first 16 bytes act as an initialization vector for decrypting the subsequent encrypted code. Each string is associated with a unique key, enhancing the security of the payload’s execution processes.

Coyote ensures its persistence on infected machines by embedding itself within the HKCU\Environment\UserInitMprLogonScript registry key. The trojan actively monitors the foreground window, identifying and targeting specific Brazilian banking applications. Once such an application is detected, Coyote initiates a secure connection to its command and control (CnC) server, transmitting sensitive details like banking application data and machine identifiers.

For secure communication, Coyote utilizes an embedded, encrypted X.509 certificate extracted from its resources, ensuring both the authenticity and confidentiality of the data exchange. Upon establishing a successful connection, the CnC server can dictate over 25 distinct actions to be performed on the infected system, ranging from keylogging and taking screenshots to manipulating windows and simulating user inputs.

Security analysts were particularly surprised by Coyote’s versatility. Unlike many banking trojans, it boasts a wide range of capabilities, including:

Screenshots for data theft
Remote window manipulation
Process termination
Mouse and keyboard simulation
Disabling security features
Keylogging

This alarming feature set gives attackers extensive control over infected machines.

“Coyote Trojan has unlocked a new evolution in banking trojan code, where the malware authors resort to new, more complex techniques than we have typically seen,” warns Prashil Moon, a threat research engineer at Quick Heal Security Labs.

Call to Action:

Seqrite’s report offers a detailed analysis of Coyote’s behavior, and cybersecurity professionals are urged to study the findings. Individuals and businesses in Brazil should exercise heightened caution when banking online: