Friday, February 7, 2025
HomeCyber AttackCoyote Banking Trojan Attacking Windows Users To Steal Login Details

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Published on

SIEM as a Service

Follow Us on Google News

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept and modify transactions, allowing hackers to drain bank accounts or make unauthorized purchases.

BlackBerry cybersecurity researchers recently detected that the Coyote banking trojan has been actively attacking Windows users to steal login details.

Coyote is an advanced .NET Trojan horse focusing on Brazilian financial institutions, indicating the increasing cyber hazards in Latin America.

Named after its misuse of Squirrel malware, Coyote uses a unique process linked to legitimate open-source files contaminated with DLLs.

This loads the Trojan using Nim programming language to collect financial data and maintain itself in the system.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Coyote Trojan Attacking Windows Users

When this malware appeared in February 2024, it reflected the World Economic Forum’s findings on Latin America’s cybersecurity drawbacks, especially in governments and finance.

Moreover, researchers added that Coyote’s complex techniques underline threat actors’ changing strategies to expand the market in this region.

Due to the large file size, the Coyote Trojan which focuses on clients in Brazil is likely delivered through phishing links.

It has a complex infection chain includes Squirrel updates, DLL sideloading of a vulnerable Google Chrome DLL, and a Nim loader that runs the Trojan in-memory.

Before sending data to its C2 servers, it keeps watching window titles for specific targets. It can perform 24 tasks such as screenshots, displaying fake banking overlays, and keylogging.

Randomly choosing from several C2 domains, WatsonTCP is utilized by this Trojan.

Connections from Coyote banking Trojan to different C2 servers (Source – BlackBerry)

Besides this, the Coyote threat actor’s sophisticated Brazilian .NET banking Trojan has not yet been observed being sold on underground markets.

Coyote banking Trojan is a sophisticated .NET malware that targets financial institutions in Brazil and the Binance cryptocurrency exchange.

One of the ways it does this is by phishing with malicious domains or disguising its loader as a legitimate squirrel update packager.

In this respect, there’s an emerging threat in LATAM. This highlights the necessity for better security measures where advanced protection mechanisms are combined with user awareness campaigns.

To fight this growing threat and guard against the compromise of financial institutions’ reputations, it is important to adopt a multidimensional strategy that includes the integration of contemporary offerings and the development of cyber security and advanced defense mechanisms.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...

Splunk Introduces “DECEIVE” an AI-Powered Honeypot to Track Cyber Threats

Splunk has unveiled DECEIVE (DECeption with Evaluative Integrated Validation Engine), an innovative, AI-augmented honeypot that mimics...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...

Beware of Nova Stealer Malware Sold for $50 on Hacking Forums

The cybersecurity landscape faces a new challenge with the emergence of Nova Stealer, a...

XE Hacker Group Exploiting Veracode 0-Day’s to Deploy Malware & Steal Credit Card Details

The XE Group, a sophisticated Vietnamese-origin cybercrime organization active since 2013, has escalated its...