Sunday, February 9, 2025
Homecyber securityCoyote Banking Malware: Abusing Windows LNK Files to Deploy Malicious Scripts

Coyote Banking Malware: Abusing Windows LNK Files to Deploy Malicious Scripts

Published on

SIEM as a Service

Follow Us on Google News

A sophisticated cyberattack campaign involving the Coyote Banking Trojan has been discovered by FortiGuard Labs, with Microsoft Windows users, particularly in Brazil, as its primary targets.

The attack utilizes malicious LNK (shortcut) files embedded with PowerShell commands to execute staged operations that ultimately deploy the Coyote Trojan.

Technical Insights into the LNK File Attack Mechanism

Once installed, this malware gains unauthorized control over the victim’s device, harvesting sensitive information from more than 70 financial applications and websites.

It employs keylogging, phishing overlays, and screenshot capture to compromise user credentials.

These advanced capabilities highlight the Trojan’s potential to escalate global financial cybersecurity threats.

The initial stage of the attack begins with the LNK file executing a PowerShell script to connect to a remote server. This script decodes and executes embedded shellcode to initiate subsequent stages of the operation.

Coyote Banking Malware
LNK File

By leveraging metadata such as “Machine ID” and MAC addresses, researchers traced connections between multiple LNK files, shedding light on the broader attack structure.

The second stage involves a custom DLL file functioning as a loader. Using functions like VirtualAllocEx and WriteProcessMemory, the loader injects additional malicious payloads executed remotely via CreateRemoteThread.

The payload deploys an MSIL file that establishes persistence by modifying the registry, ensuring the malware’s reactivation with each system reboot.

Coyote Banking Malware
Registry’s setting

During this stage, the Trojan gathers basic system information, evaluates antivirus protections, and communicates with a Command-and-Control (C2) server.

Coyote Trojan’s Expanded Capabilities and Targeting Approach

The final payload expands the Coyote Trojan’s functionality, featuring username identification, virtual environment detection, and a broadened target list of over 1,000 websites and 73 financial platforms.

The Trojan continuously monitors active windows and engages the C2 server when victims access targeted sites.

It can execute various commands, including taking screenshots, injecting phishing overlays, and simulating user actions to extract sensitive data.

Additionally, the malware communicates with the C2 server to receive instructions, such as disabling security features, shutting down the victim’s device, or deploying ransomware-like tactics.

Notably, the C2 servers employed such as geraatualiza[.]com and masterdow[.]com operate over secure HTTPS connections via port 443, complicating detection efforts.

The malware’s modular design enables dynamic updates, extending its lifecycle and adaptability to evade security measures.

The Coyote Trojan represents a highly advanced, multi-stage threat that poses severe risks to financial systems.

Its capabilities for persistence, information theft, and dynamic targeting underscore the necessity for strengthened cybersecurity protocols.

Organizations and individuals must remain vigilant, employ updated antivirus solutions, and incorporate robust detection methods to mitigate risks.

Fortinet’s advanced protections are actively preventing this malware through its FortiGuard Antivirus engine and Web Filtering services.

Additionally, organizations are advised to leverage training resources like Fortinet’s Certified Fundamentals (FCF) program to enhance awareness of phishing and other cybersecurity threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...