In all, it represents a notable evolution in Brazil's thriving market for financial malware - and could spell big trouble down the line for security teams if it expands its focus.
It may be a Brazil-focused threat to consumers for now, but as mentioned, there are clear reasons for organizations to be aware of Coyote.
Another reason for security teams to pay attention to the emergence of new banking Trojans is their history of evolving into fully fledged initialaccess Trojans and backdoors; this was the case with Emotet and Trickbot and more recently, QakBot and Ursinif.
Coyote has functionality in the wings to follow suit: It can execute a range of commands, including directives to take screenshots, log keystrokes, kill processes, shut down the machine, and move its cursor.
The Coyote Trojan Runs With Squirrel & Nim So far in its attacks, Coyote behaves like any other modern banking Trojan: When a compatible app is triggered on an infected machine, the malware pings an attacker-controlled command-and-control server displays an appropriate phishing overlay on the victim's screen in order to capture a user's login information.
Coyote stands out most for how it combats potential detections.
Most banking Trojans utilize Windows Installers, Kaspersky noted in its blog post, making them an easy red flag for cybersecurity defenders.
That's why Coyote opts for Squirrel, a legitimate open source tool for installing and updating Windows desktop apps.
Using Squirrel, Coyote attempts to mask its malicious initial stage loader as a perfectly honest update packager.
Brazilian Banking Trojans Are a Global Problem If Coyote has to do so much to distinguish itself, it's because the world's fifth-largest nation has in recent years become the world's premier hub for banking malware.
For as much as they terrorize Brazilians, these programs also have a habit of crossing bodies of water.
To demonstrate the potential future for a tool like Coyote, Assolini points to Grandoreiro, a similar Trojan that made serious inroads into Mexico and Spain but also well beyond.
By the end of last fall, he says, it had reached a total of 41 countries.
A byproduct of that success was increased scrutiny from law enforcement.
In a step toward disrupting its free-flowing cyber underground for this kind of malware, Brazilian police made a rare move: They executed five temporary arrest warrants and 13 search and seizure warrants, for the architects behind Grandoreiro across five Brazilian states.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 08 Feb 2024 21:20:10 +0000