Coyote Banking Malware: Abusing Windows LNK Files to Deploy Malicious Scripts

A sophisticated cyberattack campaign involving the Coyote Banking Trojan has been discovered by FortiGuard Labs, with Microsoft Windows users, particularly in Brazil, as its primary targets.

The attack utilizes malicious LNK (shortcut) files embedded with PowerShell commands to execute staged operations that ultimately deploy the Coyote Trojan.

Technical Insights into the LNK File Attack Mechanism

Once installed, this malware gains unauthorized control over the victim’s device, harvesting sensitive information from more than 70 financial applications and websites.

It employs keylogging, phishing overlays, and screenshot capture to compromise user credentials.

These advanced capabilities highlight the Trojan’s potential to escalate global financial cybersecurity threats.

The initial stage of the attack begins with the LNK file executing a PowerShell script to connect to a remote server. This script decodes and executes embedded shellcode to initiate subsequent stages of the operation.

By leveraging metadata such as “Machine ID” and MAC addresses, researchers traced connections between multiple LNK files, shedding light on the broader attack structure.

The second stage involves a custom DLL file functioning as a loader. Using functions like VirtualAllocEx and WriteProcessMemory, the loader injects additional malicious payloads executed remotely via CreateRemoteThread.

The payload deploys an MSIL file that establishes persistence by modifying the registry, ensuring the malware’s reactivation with each system reboot.

During this stage, the Trojan gathers basic system information, evaluates antivirus protections, and communicates with a Command-and-Control (C2) server.

Coyote Trojan’s Expanded Capabilities and Targeting Approach

The final payload expands the Coyote Trojan’s functionality, featuring username identification, virtual environment detection, and a broadened target list of over 1,000 websites and 73 financial platforms.

The Trojan continuously monitors active windows and engages the C2 server when victims access targeted sites.

It can execute various commands, including taking screenshots, injecting phishing overlays, and simulating user actions to extract sensitive data.

Additionally, the malware communicates with the C2 server to receive instructions, such as disabling security features, shutting down the victim’s device, or deploying ransomware-like tactics.

Notably, the C2 servers employed such as geraatualiza[.]com and masterdow[.]com operate over secure HTTPS connections via port 443, complicating detection efforts.

The malware’s modular design enables dynamic updates, extending its lifecycle and adaptability to evade security measures.

The Coyote Trojan represents a highly advanced, multi-stage threat that poses severe risks to financial systems.

Its capabilities for persistence, information theft, and dynamic targeting underscore the necessity for strengthened cybersecurity protocols.

Organizations and individuals must remain vigilant, employ updated antivirus solutions, and incorporate robust detection methods to mitigate risks.

Fortinet’s advanced protections are actively preventing this malware through its FortiGuard Antivirus engine and Web Filtering services.

Additionally, organizations are advised to leverage training resources like Fortinet’s Certified Fundamentals (FCF) program to enhance awareness of phishing and other cybersecurity threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free