New Coyote Malware Steals Banking Details by Hijacking Windows Features
A sophisticated and stealthy new malware, dubbed “Coyote,” is actively targeting financial institutions and their customers by exploiting a legitimate Windows accessibility feature to steal sensitive data, including bank account credentials and passwords. This threat demonstrates a cunning evolution in malware design, blending in with normal system operations to avoid detection.
The primary targets are currently linked to over 60 banking institutions, mainly in Brazil, but the techniques used are universal and could easily be adapted for global campaigns. Understanding how this malware operates is the first step toward protecting yourself.
How Does Coyote Malware Work?
Coyote’s attack chain is notable for its use of legitimate tools to carry out malicious activities, a technique known as “living off the land.” This makes it incredibly difficult for traditional antivirus programs to flag its behavior as suspicious.
The infection typically begins with a user downloading a malicious installer file, often disguised as a legitimate software update or document. Once executed, the process unfolds in several stages:
- Initial Installation: The malware uses a legitimate application installer and update framework known as Squirrel to unpack and install its components. By using a trusted tool, it bypasses initial security checks.
- Hijacking an Accessibility Tool: The core of the attack is its clever manipulation of the Windows operating system. Coyote replaces the legitimate
stickykeys.exeexecutable with its own malicious version. Thestickykeys.exeis a genuine accessibility feature that allows users to issue keyboard shortcuts one key at a time. - Achieving Persistence: By replacing this system file, the malware ensures it runs with high privileges every time the system starts. When a user logs into their computer, the compromised
stickykeys.exeis automatically triggered, allowing Coyote to monitor user activity from the outset. - Data Theft: Once active, Coyote monitors for browser activity related to specific banking websites. When a user attempts to log into their bank, the malware captures their login credentials, passwords, and other sensitive information. This data is then encrypted and sent to a command-and-control server operated by the attackers.
What makes Coyote particularly elusive is that it is written in the Nim programming language, a relatively modern and less common choice for malware developers. This helps it evade many signature-based security solutions that are more accustomed to malware written in C++ or Python.
The Danger of Blending In
The true danger of Coyote lies in its stealth. By masquerading as a legitimate Windows process and using a trusted installation framework, it minimizes its footprint and avoids raising red flags. Users and even some security systems may not notice anything is wrong until fraudulent transactions occur.
This approach highlights a critical vulnerability: attackers can turn trusted components of an operating system against its users. The replacement of a core accessibility tool is a serious breach that gives the malware a powerful foothold on the infected machine.
How to Protect Yourself from Coyote and Similar Threats
Defending against stealthy malware like Coyote requires a multi-layered security approach that goes beyond basic antivirus protection.
- Be Vigilant with Downloads: Exercise extreme caution with unsolicited emails, attachments, and software installers. Never download applications from untrusted sources. If you receive an unexpected request to update software, go directly to the official vendor’s website.
- Implement Advanced Endpoint Security: For businesses and security-conscious individuals, relying on traditional antivirus is not enough. Endpoint Detection and Response (EDR) solutions are designed to monitor system behavior for anomalies, such as an unauthorized process replacing a critical system file like
stickykeys.exe. - Enable Multi-Factor Authentication (MFA): This is one of the most effective defenses against credential theft. Even if attackers manage to steal your password, MFA provides a crucial second layer of security that prevents them from accessing your account.
- Keep Your Systems Patched: Ensure your operating system and all applications are fully updated. While Coyote exploits a feature rather than a bug, maintaining up-to-date software closes other potential security holes attackers could leverage.
- Monitor System Integrity: Advanced users and IT administrators should consider implementing tools that monitor for changes to critical system files. An alert on a modification to
stickykeys.exeorutilman.execould be an early indicator of a compromise.
Ultimately, the emergence of Coyote is a stark reminder that cybercriminals are constantly refining their methods. By staying informed and adopting robust security practices, you can significantly reduce your risk of becoming a victim.
Source: https://www.bleepingcomputer.com/news/security/coyote-malware-abuses-windows-accessibility-framework-for-data-theft/
