This malware uses Windows features to steal your banking credentials
What's the story
Cybersecurity experts have discovered a new variant of the notorious Coyote malware, which uses a legitimate Windows feature to steal banking credentials. The threat was first detected by Akamai, a cybersecurity firm that specializes in preventing and mitigating cyber threats. The updated version of Coyote leverages Microsoft's UI Automation framework to identify cryptocurrency and exchange websites visited by users. This is part of its broader strategy to steal their wallets and banking information.
Malware tactics
Malware employs a range of techniques to steal banking information
The Coyote malware employs a range of techniques, including keylogging and phishing overlays, to steal banking information. It uses the Squirrel installer, a widely used tool for installing and updating Windows-based applications. The malware sends detailed information such as computer name, user name, system attributes, and details about the financial services used by the victim to its command-and-control center.
Targeting strategy
How the malware uses Windows API to target victims
The Coyote malware uses a Windows API called GetForegroundWindow() to take control of the active window and compare it with a hardcoded list of banking websites and cryptocurrency exchanges. If it doesn't find a target in the window title, it uses the Windows UI Automation service to get the web address and compare it with its list. This way, it can bypass most security tools that usually detect other types of malware.
Malware impact
Currently targeting Brazilian users
The Coyote malware variant is currently targeting Brazilian users. However, security researchers note that cybercriminals often test new malware in a specific region before deploying it globally. Akamai's security researchers have shared a proof-of-concept showing how the Windows feature can be exploited to steal login credentials entered on these websites. This case highlights how even helpful tech features can be misused for scams, stressing the need to stay vigilant about new threats.