Coyote Malware: A New Breed of Banking Trojan Weaponizes a Hidden Windows Feature
The world of cybersecurity is a relentless arms race, and a new threat has emerged that cleverly turns one of Windows’ own features against its users. Known as Coyote malware, this sophisticated banking trojan marks a significant evolution in how criminals steal financial information, pioneering a technique that could soon be adopted by attackers worldwide.
Initially targeting the customers of over 60 banking institutions in Brazil, Coyote’s methods serve as a chilling blueprint for future cyberattacks. What makes this malware particularly dangerous is its novel approach: it is the first known banking trojan to exploit the Windows UI Automation (UIA) framework to capture sensitive user data.
What Makes Coyote Malware So Different?
Unlike traditional keyloggers that record keystrokes or malware that injects fake forms into web pages, Coyote takes a more insidious path. It leverages a legitimate and powerful component built directly into the Windows operating system.
Here’s a breakdown of its cunning design:
- Modern Programming Language: Coyote is written in Nim, a relatively new and powerful programming language. This choice helps it evade detection by many traditional antivirus solutions that are less familiar with Nim-based executables.
- Deceptive Installer: The malware spreads using a tool called Squirrel, which is a legitimate installation and update framework used by popular applications like Slack, Discord, and Microsoft Teams. This allows the malicious installer to appear harmless and bypass initial security checks.
- Living Off the Land: The true innovation lies in its use of Windows UI Automation. UIA is an accessibility feature designed to help users with disabilities by allowing programs to interact with user interface (UI) elements—like reading text on the screen or clicking buttons.
Coyote malware leverages the legitimate Windows UI Automation framework to steal banking credentials directly from the user’s screen. By using a trusted system tool for its malicious activities, it operates under the radar, making its actions seem like legitimate system processes.
How a Coyote Attack Unfolds
The attack chain is both patient and precise, waiting for the perfect moment to strike.
- Infection: A user is tricked into downloading and running what appears to be a legitimate software installer package.
- Installation: The Squirrel installer discreetly places the malware on the system. The malware then lies dormant, monitoring the user’s activity.
- Activation: The moment the user navigates to a targeted online banking portal, Coyote springs into action.
- Data Theft with UIA: Instead of logging keystrokes, Coyote uses UI Automation to directly read the content of the login and password fields after the user has entered them. It can even capture one-time passwords (OTPs) and multi-factor authentication (MFA) codes that are displayed or entered on the screen.
- Exfiltration: Once the credentials are stolen, they are encrypted and sent to a command-and-control server operated by the cybercriminals.
Why This New Technique is So Dangerous
The abuse of the UI Automation framework is a game-changer for several reasons.
- Extreme Stealth: Because Coyote uses a native Windows API, its actions are much harder to flag as malicious. Security software is designed to trust core system processes, and Coyote exploits that trust perfectly.
- Bypasses Standard Defenses: This method can effectively bypass security measures that focus on web-based injections or keyboard logging. The malware isn’t altering the website or monitoring the keyboard; it’s simply reading what’s already on the screen.
- A Dangerous Precedent: Coyote has proven that this technique is viable. This is not just a threat to Brazil; it’s a proof-of-concept for global cyberattacks. We can expect other malware authors to copy and refine this method to target banks and financial services across the world.
How to Protect Yourself from Coyote and Similar Threats
While Coyote is sophisticated, you can take concrete steps to fortify your defenses against this and other advanced malware.
- Source Your Software Carefully: Only download applications from official websites and verified app stores. Avoid installers from third-party repositories, pop-up ads, or unsolicited emails.
- Enhance Your Endpoint Security: Use a reputable, next-generation antivirus or Endpoint Detection and Response (EDR) solution. These advanced tools are better equipped to detect behavioral anomalies, such as a non-accessibility application suddenly using the UI Automation framework.
- Upgrade Your Multi-Factor Authentication (MFA): While Coyote can capture on-screen MFA codes, it is less effective against phishing-resistant hardware-based authentication. Consider using FIDO2-compliant security keys (like a YubiKey), which require physical interaction and cannot be bypassed by screen-reading malware.
- Be Vigilant: Pay close attention to your computer’s performance, especially when accessing sensitive sites. If your browser or system behaves unusually, close the session immediately and run a security scan.
- Keep Everything Updated: Ensure your operating system, web browser, and all security software are always up-to-date to protect against known vulnerabilities.
Coyote malware represents the next step in the evolution of financial threats. By understanding how it works and adopting a multi-layered security strategy, we can better protect ourselves from this new wave of intelligent, stealthy attacks.
Source: https://securityaffairs.com/180334/malware/coyote-malware-is-first-ever-malware-abusing-windows-ui-automation.html
