ShtëpiMenaxhimi i riskutCoyote: Një trojan bankar që shfrytëzon instaluesin e ketrit

Coyote: Një trojan bankar që shfrytëzon instaluesin e ketrit

Publikuar më

spot_img

A newly discovered banking Trojan known as “Coyote” has been discovered by security researchers. The malware targets users of over 60 banking institutions, mainly in Brazil, making use of a sophisticated infection chain involving advanced technologies such as Squirrel installer, NodeJS, and the Nim programming language. The use of less popular or cross-platform languages by cybercriminals has been identified as a trend in the Crimeware and financial cyberthreats for 2024.

In the traditional landscape of banking Trojans, the use of the Delphi language or MSI installers is a common trend among malware creators. However, the newly discovered Coyote Trojan breaks away from this trend, using the relatively new Squirrel installer for installing and updating Windows desktop applications.

The Squirrel installer presents the initial stage loader as an update packager, effectively hiding the malicious software to blend in with legitimate updates. Furthermore, the malware hides its initial stage loader by running a Node.js application compiled with Electron, executing obfuscated JavaScript code to copy executables and load the malicious payload.

An interesting aspect of the infection chain of Coyote is the utilization of Nim, a relatively new programming language, to load the final stage of the malware. This loader is designed to unpack a .NET executable and execute it in memory using the CLR, which contributes to the sophistication of the Trojan’s design.

Once the Coyote banking Trojan is successfully executed, it achieves persistence by abusing Windows logon scripts and monitors open applications on the victim’s system, waiting for specific banking applications or websites to be accessed. It also establishes communication with its command and control server using SSL channels with a mutual authentication scheme.

At the command and control server, the Trojan sends information collected from the infected machine, including the machine name, a randomly generated GUID, and the banking application being used. In return, the server sends a response packet that contains specific actions for the Trojan to carry out. These actions include taking screenshots, showing fake banking app overlays, displaying full-screen overlays, enabling keyloggers, and capturing user credentials through phishing overlays.

This new banking Trojan marks a significant evolution in the threat landscape, as the developers have showcased their skills by implementing modern technologies such as Node.js, .NET, and advanced packaging techniques. The addition of Nim as a loader adds complexity to the Trojan’s design, highlighting the increasing sophistication within the threat landscape and showing how threat actors are adapting and using the latest languages and tools in their malicious campaigns.

The majority of infections caused by the Coyote banking Trojan have been reported in Brazil, and Kaspersky products detect the threat as HEUR:Trojan-Banker.MSIL.Coyote.gen. Organizations and individuals are advised to take proactive measures and remain vigilant to protect themselves from such threats.

For those seeking more detailed analysis of the latest Coyote versions, Kaspersky offers private Threat Intelligence Reports. Customers can contact crimewareintel@kaspersky.com for more information.

Reference IoCs (indicators of compromise):
Host-based (MD5 hash)
03eacccb664d517772a33255dff96020…
C2 domain list
atendesolucao[.]com
servicoasso[.]com
dowfinanceiro[.]com
centralsolucao[.]com
traktinves[.]com
diadaacaodegraca[.]com
segurancasys[.]com

Lidhja e burimit

Artikujt e fundit

Sulmuesit abuzojnë me veçorinë e reklamës së Google për të synuar Përdoruesit e Slack, Notion

 Sulmuesit po abuzojnë edhe një herë me Google Ads për të synuar njerëzit me malware që vjedhin informacione, këtë herë...

Hakerët pretendojnë se kanë depërtuar në rrjetin kompjuterik të objektit bërthamor izraelit

Një grup hakerash i lidhur me Iranin ka deklaruar se kanë shkelur me sukses rrjetin kompjuterik të...

Hakeri dyshohet se përdor qasjen e kapelës së bardhë për të shfrytëzuar lojën kripto për $4.6M

Në një kthesë befasuese të ngjarjeve, loja e kriptove me temë ushqimore Super Sushi Samurai ra...

Reduktimi i Kërcënimeve nga Tregu i IAB-ve

Ndërsa sulmet e ransomware vazhdojnë të përshkallëzohen në frekuencë dhe ashpërsi, një nga ...

Më shumë si kjo

Sulmuesit abuzojnë me veçorinë e reklamës së Google për të synuar Përdoruesit e Slack, Notion

 Sulmuesit po abuzojnë edhe një herë me Google Ads për të synuar njerëzit me malware që vjedhin informacione, këtë herë...

Hakerët pretendojnë se kanë depërtuar në rrjetin kompjuterik të objektit bërthamor izraelit

Një grup hakerash i lidhur me Iranin ka deklaruar se kanë shkelur me sukses rrjetin kompjuterik të...

Hakeri dyshohet se përdor qasjen e kapelës së bardhë për të shfrytëzuar lojën kripto për $4.6M

Në një kthesë befasuese të ngjarjeve, loja e kriptove me temë ushqimore Super Sushi Samurai ra...
sqAlbanian