A sophisticated new banking Trojan that steals sensitive financial information and introduces advanced tactics to avoid detection has been discovered by Kaspersky's Global Research and Analysis Team (GReAT).
A new sophisticated banking trojan has been discovered
Called “Coyote,” this malware is based on the Squirrel installer for the distribution, taking its name from coyotes, squirrels' natural predators.
Kaspersky experts have identified 'Coyote', a sophisticated new banking Trojan that uses advanced evasion tactics to steal sensitive financial information. Primarily targeting users affiliated with over 60 banking institutions in Brazil, Coyote uses the Squirrel installer for its distribution – a method rarely seen in malware delivery. Kaspersky researchers investigated and identified the entire infection process carried out by Coyote.
Instead of going the usual route of infecting known installers, Coyote chose Squirrel, a relatively new tool, to install and update Windows desktop applications. In this way, Coyote hides its initial stage loader by pretending that it is just an update package.
Coyote uses Nim, a modern, cross-platform programming language, as the loader in the final stage of the infection process, which makes it even more complicated to detect. This aligns with a trend observed by Kaspersky, where cybercriminals are using less popular and cross-platform languages, demonstrating their adaptability to the latest trends in technology.
Coyote's mode of infection involves a NodeJS application that executes complicated JavaScript code, a Nim loader that generates a .NET executable, and finally the execution of a Trojan. While Coyote doesn't actually hide the code, it uses string obfuscation with AES (Advanced Encryption Standard) encryption for added cloaking efficiency. The purpose of the Trojan is consistent with typical banking Trojan behavior: it tracks access to the specific banking application or website.
Once the banking applications are live, Coyote immediately communicates with its command and control server using mutually authenticated SSL channels. The Trojan's use of encrypted communication and its ability to perform specific actions, such as logging keystrokes and taking screenshots, highlight its advanced nature. It can even ask for certain bank card passwords and set up a fake page to get user credentials.
Kaspersky telemetry data shows that approximately 90% of Coyote infections originate in Brazil, having a large impact on the region's financial cybersecurity.
recommendation
For protection against financial threats, Kaspersky recommends:
• Only install applications obtained from trusted sources.
• Avoid approving rights or permissions requested by applications without first ensuring that they match the application's feature set.
• Never open links or documents included in unexpected or suspicious-looking messages.
• Use a reliable security solution, such as Kaspersky Premium, that protects you and your digital infrastructure from a wide range of financial cyber threats.
To protect your business from financial malware, Kaspersky security experts recommend:
• Providing cyber security awareness trainings, especially for accounting staff, that include instructions on how to spot phishing pages.
• Improving the digital literacy of staff.
• Enabling a default denial policy for critical user profiles, especially those in finance departments, that ensures only legitimate web resources are accessed.
• Installing the latest updates and patches for all software used.
