Rewterz Threat Alert – New Banking Trojan Coyote Malware Hunts for Credentials from 61 Banking Apps – Active IOCs

Severity

High

Analysis Summary

A new banking trojan named “Coyote” has emerged, targeting about 61 different online banking apps to commit credential theft. The majority of the targeted banking applications are based in Brazil, a country well-known for being the world’s center for banking trojan malware.

Coyote is notable for its wide range of targeting online banking applications and its advanced use of linking different tools and components to use them together, such as a novel open-source installer named Squirrel, NodeJS, an uncommonly used programming language “Nim”, and offering over a dozen malicious capabilities. This shows a notable advancement in the Brazilian market for financial malware, as they have been developing banking trojans for over 20 years.

Researchers warn that even though this threat may be Brazil-focused for now, there are many reasons for organizations worldwide to be aware of the Coyote malware because of the threat actors’ capabilities to expand their operations abroad, and hence why banks and companies must prepare themselves to deal with the threat. Another reason for security experts to pay attention to the emergence of this new banking trojan is due to the past in which they have evolved into fully functional initial access trojans and backdoors, as seen with Emotet, QakBot, TrickBot, and Ursinif.

Coyote demonstrates the ability to follow suit as well since it can execute a range of commands like taking screenshots, killing processes, keylogging, moving the cursor, and even shutting down the compromised device. It can also freeze the system with a fake “Working on updates…” overlay prompt.

From an observation of its attacks, Coyote acts like any other modern banking trojan. When one of the 61 banking apps that it targets is triggered on an infected system, the malware pings an attacker-controlled command-and-control (C2) server to display a phishing overlay on the unsuspecting user’s screen for capturing login credentials. Most banking trojans leverage Windows Installers (MSI), and Coyote uses a legitimate open-source tool “Squirrel” to install and update Windows desktop applications. Using Squirrel, Coyote tried to hide its malicious initial stage loader by making it look like a legitimate update packager.

The final stage loader it uses is unique, written in an uncommon programming language called “Nim”. Security researchers have noted that this is the first-ever banking trojan that has been seen using Nim. The majority of the old banking trojans were written using Delphi, making the detection of it easier over the years and the efficiency of infections of those slowed down by a lot. With Nim, it is possible to code new features with a low detection rate by security solutions.

These banking trojans from Brazil have a history of spreading across the world and expanding their attacks to other nations. Recently, some of the Brazilian banking trojans have been observed attacking companies and individuals in Australia and Europe, as well as a new version discovered in Italy. It is highly recommended for organizations and banks to take security measures to avoid falling prey to any of these modern banking trojan malware.

Impact

• Financial Loss
• Credential Theft

Indicators of Compromise

Domain Name

• atendesolucao.com
• servicoasso.com
• dowfinanceiro.com
• centralsolucao.com
• traktinves.com
• diadaacaodegraca.com
• segurancasys.com

MD5

• 03eacccb664d517772a33255dff96020
• 071b6efd6d3ace1ad23ee0d6d3eead76
• 276f14d432601003b6bf0caa8cd82fec
• 5134e6925ff1397fdda0f3b48afec87b
• bf9c9cc94056bcdae6e579e724e8dbbd

SHA-256

• 0486efea8c3587d8d97edf7f740971a2add2150eda26d4ab94d6e8225648a5b3
• 110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79
• 1bed3755276abd9b54db13882fcf29c543ebf604be3b7fcf060cbd6d68bcd23f
• 1d59bc782e532780da0364b14a1b474a8cb8a5af50c8124159bf5d943bd050f7
• eb615c093e9b52ed409f426764857e6e42aa85e02adef59d6f1457dcbb90bb40

SHA-1

• 62cfcb6cc0c2e52cd4e25aaa9e8b9d76e08694bb
• 076b4c3a7cb4c5847b197e32a2849c460a40d84d
• bd30ada16bfd7de0224bbdaa67245f898546a8bb
• e443dc35f4d1456284d93463392f137e9c9eb883
• ee340d0cc2f5f807845a87ef8ff46579a8701939

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Keep operating systems and software up to date as banking trojans often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
• Implement strong password policies: banking malware often relies on stolen login credentials to access sensitive information. Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
• Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread banking malware.