Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept and modify transactions, allowing hackers to drain bank accounts or make unauthorized purchases.

BlackBerry cybersecurity researchers recently detected that the Coyote banking trojan has been actively attacking Windows users to steal login details.

Coyote is an advanced .NET Trojan horse focusing on Brazilian financial institutions, indicating the increasing cyber hazards in Latin America.

Named after its misuse of Squirrel malware, Coyote uses a unique process linked to legitimate open-source files contaminated with DLLs.

This loads the Trojan using Nim programming language to collect financial data and maintain itself in the system.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Coyote Trojan Attacking Windows Users

When this malware appeared in February 2024, it reflected the World Economic Forum’s findings on Latin America’s cybersecurity drawbacks, especially in governments and finance.

Moreover, researchers added that Coyote’s complex techniques underline threat actors’ changing strategies to expand the market in this region.

Due to the large file size, the Coyote Trojan which focuses on clients in Brazil is likely delivered through phishing links.

It has a complex infection chain includes Squirrel updates, DLL sideloading of a vulnerable Google Chrome DLL, and a Nim loader that runs the Trojan in-memory.

Before sending data to its C2 servers, it keeps watching window titles for specific targets. It can perform 24 tasks such as screenshots, displaying fake banking overlays, and keylogging.

Randomly choosing from several C2 domains, WatsonTCP is utilized by this Trojan.

Besides this, the Coyote threat actor’s sophisticated Brazilian .NET banking Trojan has not yet been observed being sold on underground markets.

Coyote banking Trojan is a sophisticated .NET malware that targets financial institutions in Brazil and the Binance cryptocurrency exchange.

One of the ways it does this is by phishing with malicious domains or disguising its loader as a legitimate squirrel update packager.

In this respect, there’s an emerging threat in LATAM. This highlights the necessity for better security measures where advanced protection mechanisms are combined with user awareness campaigns.

To fight this growing threat and guard against the compromise of financial institutions’ reputations, it is important to adopt a multidimensional strategy that includes the integration of contemporary offerings and the development of cyber security and advanced defense mechanisms.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo