A new sophisticated banking Trojan
that steals sensitive financial information and introduces advanced tactics to
avoid detection has been discovered by Kaspersky's Global Research and Analysis
Team (GReAT). Dubbed 'Coyote,' this malware relies on the Squirrel installer
for distribution, its name drawing inspiration from coyotes, the natural
predators of squirrels.
Coyote is a
sophisticated new banking Trojan that employs advanced evasion tactics to
pilfer sensitive financial information. Primarily targeting users affiliated
with more than 60 banking institutions in Brazil, Coyote utilizes the Squirrel
installer for its distribution, a method rarely linked to malware delivery.
Kaspersky's researchers have investigated and identified the entire infection
process of Coyote.
Instead of taking
the usual path with well-known installers, Coyote uses a relatively new
Squirrel tool to install and update Windows desktop applications. By doing so,
Coyote hides its initial stage loader by pretending it's just an update
packager.
What makes Coyote
even more challenging is its use of Nim, a modern, cross-platform programming
language, as the loader for the final stage of the infection process. This
aligns with a trend observed by Kaspersky, in which cybercriminals use less
popular and cross-platform languages, demonstrating their adaptability to the
latest technology trends.
Coyote's journey
involves a NodeJS application executing tricky JavaScript code, a Nim loader
unpacking a .NET executable, and finally, the execution of a Trojan. While
Coyote skips code obfuscation, it uses string obfuscation with AES (Advanced
Encryption Standard) encryption for extra stealth. The Trojan's goal is in line
with typical banking Trojan behavior as it watches for access to the specific
banking application or website.
Once banking apps
are active, Coyote talks to its command-and-control server using SSL channels
with mutual authentication. The Trojan's use of encrypted communication and its
ability to carry out specific actions like keylogging and taking screenshots highlight
its advanced nature. It can even ask for specific bankcard passwords and set up
a fake page to acquire user credentials.
Kaspersky's
telemetry data shows that around 90 percent of Coyote's infections come from
Brazil, making a big impact on the region's financial cybersecurity.
"In the last
three years, the number of banking Trojan attacks almost doubled, hitting over
18 million in 2023," said Fabio Assolini, head of the Latin American Global
Research and Analysis Team (GReAT) at Kaspersky. "As we deal with the
growing number of cyber threats, it's important for people and businesses to
protect their digital assets. The rise of Coyote, a new kind of Brazilian
banking Trojan, reminds us to be careful and use the latest defenses to keep
our important information safe."
Read the full report on Coyote banking Trojan, please visit Securelist.
For protection against financial threats, Kaspersky
recommends:
- Installing only
applications obtained from reliable sources.
- Refrain from approving
rights or permissions requested by applications without first ensuring
they match the application's feature set.
- Never open links or
documents included in unexpected or suspicious-looking messages.
- Use a reliable security
solution, such as Kaspersky Premium, that protects you and your digital
infrastructure from a wide range of financial cyberthreats.
To protect your business from financial malware, Kaspersky
security experts recommend:
- Providing cybersecurity awareness training, especially for
employees responsible for accounting, that includes instructions on how to
detect phishing pages.
- Improving the digital
literacy of staff.
- Enabling a Default Deny
policy for critical user profiles, particularly those in financial
departments, which ensures that only legitimate web resources can be
accessed.
- Installing the latest
updates and patches for all software used.