Coyote Malware: The New Banking Trojan Using a Surprising Microsoft Tool to Steal Your Data
A sophisticated new banking trojan, dubbed “Coyote,” is actively targeting financial institutions and their customers. This malware represents a significant evolution in cybercrime, employing a clever and stealthy method to bypass common security measures and steal sensitive banking credentials directly from users.
What makes Coyote particularly dangerous is its use of a legitimate Microsoft tool to carry out its malicious activities, making it harder to detect than traditional threats. Understanding how this threat works is the first step toward protecting your financial information.
What Is the Coyote Banking Trojan?
Coyote is a piece of malware specifically designed to steal financial data. Its primary goal is to capture user credentials, such as login IDs, passwords, and transaction authentication numbers, when a user attempts to access their online banking portal.
While initially observed targeting users of over 60 banking institutions in Brazil, the tools and techniques used by Coyote are not geographically limited. Security experts believe its capabilities allow it to be easily adapted to target banks and financial service providers worldwide, making this a global threat to watch.
How the Coyote Malware Attack Works
The attack chain begins with a classic but effective method: a phishing email. Users receive a deceptive email containing a link to a file, often disguised as a legitimate document or update. This file is typically a Microsoft Installer (.msi) package.
Once the user runs the installer, the infection process begins in stages:
- The Loader: A small, difficult-to-detect loader program is installed. This loader is written in the Nim programming language, a newer language that is gaining popularity with cybercriminals because it can be harder for some antivirus programs to analyze.
- The Download: The loader’s sole job is to contact a remote server and download the main payload: the Coyote malware itself. This multi-stage attack helps the malware evade initial detection, as the first file installed isn’t the primary threat.
- Execution and Monitoring: Once active on the system, Coyote patiently monitors the user’s activity. It specifically watches for the launch of web browsers like Google Chrome, Microsoft Edge, or Firefox and checks which websites the user is visiting.
The Secret Weapon: Abusing Microsoft UI Automation
Here is where Coyote’s attack becomes unique. Instead of injecting malicious code directly into the browser—a technique that many modern security tools are designed to block—Coyote uses Microsoft UI Automation.
UI Automation is a legitimate accessibility framework built into Windows. It’s designed to help applications and assistive technologies (like screen readers) interact with the user interface (UI) of other programs. It can read text from buttons, fill in form fields, and click on-screen elements.
Coyote weaponizes this feature. When it detects that the user has navigated to a targeted banking website, it uses UI Automation to:
- Observe the screen and identify login fields.
- Log the keystrokes entered into the password and username boxes.
- Capture sensitive information displayed on the screen.
- Potentially manipulate the webpage, creating fake pop-ups asking for more information.
Because Coyote is using a trusted, signed Microsoft process to interact with the browser, it can bypass many browser-based security defenses that look for suspicious code injection or unauthorized add-ons. It’s like having a spy look over your shoulder and record what you type, rather than trying to tamper with the lock on the door.
How to Protect Yourself from Coyote and Other Banking Trojans
Protecting yourself requires a multi-layered security approach. Since Coyote relies on tricking the user and exploiting system tools, vigilance is your most powerful weapon.
- Scrutinize All Emails: The infection starts with phishing. Never click on links or download attachments from unsolicited or suspicious emails. Verify the sender’s identity and be wary of urgent requests or offers that seem too good to be true.
- Enable Multi-Factor Authentication (MFA): This is the single most effective step you can take. Even if Coyote successfully steals your password, MFA prevents criminals from accessing your account because they won’t have the second verification factor (like a code from your phone).
- Keep Your Software Updated: Ensure your operating system, web browser, and security software are always up-to-date. Patches often close the security loopholes that malware loaders exploit.
- Use a Reputable Antivirus Solution: A robust endpoint security or antivirus program can detect and block malicious installers and monitor for suspicious behavior, such as one program trying to control another via UI Automation.
- Monitor Your Financial Accounts: Regularly review your bank and credit card statements for any unauthorized transactions. Report any suspicious activity to your financial institution immediately.
Coyote malware is a stark reminder that cybercriminals are constantly innovating. By understanding their methods and adopting strong, proactive security habits, you can build a formidable defense against these evolving financial threats.
Source: https://go.theregister.com/feed/www.theregister.com/2025/07/24/coyote_malware_microsoft_uia/
