Experts at Kaspersky have discovered “Coyote,” a new banking Trojan that uses cutting-edge evasion techniques to steal confidential financial data. Targeting primarily users connected to over 60 Brazilian banks, Coyote is distributed via the Squirrel installer, a method infrequently associated with malware delivery. Researchers at Kaspersky have looked into and determined the full Coyote infection process. The developers of banking Trojan malware are constantly looking for inventive ways to distribute theirs implants and infect victims.

What kind of malware is Coyote?

The Coyote malware is a Bank Trojan malware. This malicious software is intended to retrieve private data from devices, mostly searching for information pertaining to internet banking. Over sixty Brazilian banks are the target of Coyote. This malicious program is extremely intelligent and has a complicated chain of infection.

How does it get installed into a system?

Squirrel, a reliable installer for Windows desktop applications, is used by Trojan. When the installer is started, disrupted JavaScript is run by a Node.js application. Through DLL side-loading, the ultimate purpose of this code is to start a legitimate piece of software required to complete the next step of infection. A malicious DLL is launched in place of the legitimate executable, causing a loader created in the NIM programming language to appear. The executable for Coyote is loaded and launched by this loader. The Trojan starts searching the system for pertinent information and keeping track of opened apps after it has successfully established its persistence and established a connection to its C&C (Command and Control) server. 60 Brazilian banks were on Coyote’s target list as of the time of writing. Once an intriguing website or banking app is opened, the Trojan can use a variety of tools to get the desired data.

What can/does it do?

After being launched, Coyote, monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed, after which it makes contact with a server under the control of the actor to obtain instructions for the next stage.

It can carry out a multitude of commands to record keystrokes, take screenshots, end processes, show fictitious overlays, move the mouse pointer to a specific spot, and even shut down the computer.

Additionally, it has the ability to completely shut down the computer by displaying a false “Working on updates…” notification while secretly carrying out harmful operations.

In addition to taking screenshots and key logging, the malware can also show window and full-screen overlays and move the cursor. Phishing overlays replicate the user interfaces of banking applications and websites, capturing any data inputted (such as credit card numbers, transaction details, login credentials, etc.).

How it is different from others?

What makes Coyote a different breed from other banking Trojans of its kind is the use of the open-source Squirrel framework for installing and updating Windows apps. Another notable departure is the shift from Delphi – which is prevalent among banking malware families targeting Latin America – to an uncommon programming language like NIM.

How to avoid installation of malware?

• It is highly advised to exercise caution when browsing, as malicious and fraudulent content frequently presents itself as harmless and authentic.
• Being cautious when reading incoming emails and other messages is another piece of advice.
• Educate users not open any attachments or links which find in questionable emails because they may be contagious.
• All downloads must be performed from official and verified channels.
• Advise activating and updating software by using legitimate functions/tools, as those obtained from third-parties may contain malware.
• Security programs like Antivirus must be used to run regular system scans and to remove detected threats.