‘Coyote’ ugly: Kaspersky unveils banking trojan targeting over 60 institutions
A new sophisticated banking Trojan that steals sensitive financial information and introduces advanced tactics to avoid detection has been discovered by Kaspersky's Global Research and Analysis Team (GReAT). Dubbed 'Coyote,' this malware relies on the Squirrel installer for distribution, its name drawing inspiration from coyotes, the natural predators of squirrels.
Kaspersky's experts have identified "Coyote," a sophisticated new banking trojan that employs advanced evasion tactics to pilfer sensitive financial information. Primarily targeting users affiliated with more than 60 banking institutions in Brazil, Coyote utilizes the Squirrel installer for its distribution — a method rarely linked to malware delivery. Kaspersky's researchers have investigated and identified the entire infection process of Coyote.
Instead of taking the usual path with well-known installers, Coyote chose a relatively new Squirrel tool to install and update Windows desktop applications. This way, Coyote hides its initial stage loader by pretending it's just an update packager.
What makes Coyote even more challenging is its use of Nim, a modern, cross-platform programming language, as the loader for the final stage of the infection process. This aligns with a trend observed by Kaspersky, in which cybercriminals use less popular and cross-platform languages, demonstrating their adaptability to the latest technology trends.
Coyote's journey involves a NodeJS application executing tricky JavaScript code, a Nim loader unpacking a .NET executable, and finally, the execution of a Trojan. While Coyote skips code obfuscation, it uses string obfuscation with AES (Advanced Encryption Standard) encryption for extra stealth. The Trojan's goal is in line with typical banking Trojan behavior: it watches for the specific banking application or website to be accessed.
Once banking apps are active, Coyote talks to its command-and-control server using SSL channels with mutual authentication. The Trojan's use of encrypted communication and its ability to carry out specific actions, like keylogging and taking screenshots, highlight its advanced nature. It can even ask for specific bank card passwords and set up a fake page to acquire user credentials.
Kaspersky's telemetry data shows that around 90 percent of Coyote’s infections come from Brazil, making a big impact on the region's financial cybersecurity.
“In the last three years, the number of banking Trojan attacks almost doubled, hitting over 18 million in 2023. This shows that online security challenges are on the rise. As we deal with the growing number of cyber threats, it's really important for people and businesses to protect their digital assets. The rise of Coyote, a new kind of Brazilian banking Trojan, reminds us to be careful and use the latest defenses to keep our important information safe,” comments Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky.
Read the full report on Coyote banking Trojan, please visit Securelist.com.
For protection against financial threats, Kaspersky recommends:
- Install only applications obtained from reliable sources.
- Refrain from approving rights or permissions requested by applications without first ensuring they match the application’s feature set.
- Never open links or documents included in unexpected or suspicious-looking messages.
- Use a reliable security solution, such as Kaspersky Premium, that protects you and your digital infrastructure from a wide range of financial cyberthreats.
To protect your business from financial malware, Kaspersky security experts recommend:
- Providing cybersecurity awareness training, especially for employees responsible for accounting, that includes instructions on how to detect phishing pages.
- Improving the digital literacy of staff.
- Enabling a Default Deny policy for critical user profiles, particularly those in financial departments, which ensures that only legitimate web resources can be accessed.
- Installing the latest updates and patches for all software used.
‘Coyote’ ugly: Kaspersky unveils banking trojan targeting over 60 institutions
Kaspersky
Related Articles Virus News
Turkey, Russia, Southeast Asia and Latin America hit by Android threats, Kaspersky identifies
Three new dangerous Android malware variants have been analyzed by Kaspersky researchers. The Tambir, Dwphon, and Gigabud malicious programs exhibit diverse features, ranging from downloading other programs and credential theft to bypassing two-factor authentication (2FA) and screen recording, jeopardizing user privacy and security.Read More >Targeted ransomware groups have grown in numbers and sophistication, say Kaspersky experts
An in-depth research by Kaspersky experts shows a surge in the number of targeted ransomware groups globally by 30% from 2022 to 2023. In parallel to this increase, the number of victims of targeted ransomware attacks spiked by 70% within the same time period. These insights were shared at Kaspersky’s ninth annual Cyber Security Weekend – META, which took place in Kuala Lumpur.Read More >‘Coyote’ ugly: Kaspersky unveils banking trojan targeting over 60 institutions
A new sophisticated banking Trojan that steals sensitive financial information and introduces advanced tactics to avoid detection has been discovered by Kaspersky's Global Research and Analysis Team (GReAT). Dubbed 'Coyote,' this malware relies on the Squirrel installer for distribution, its name drawing inspiration from coyotes, the natural predators of squirrels.Read More >
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.