Researchers have uncovered an emerging threat in the world of banking Trojans, with the discovery of a new malware variant designated “Coyote.” This malicious software is specifically targeting the user credentials of 61 different online banking applications, primarily in Brazil.
Coyote’s significance lies in its extensive focus on banking-sector apps, particularly within the Brazilian market. Additionally, it distinguishes itself with a sophisticated blend of both basic and advanced components, including the usage of Squirrel, NodeJs, and a programming language known as “Nim.” With more than a dozen malicious functions, Coyote represents an advance in the evolving landscape of financial malware in Brazil, and there are concerns that its scope may expand to pose a threat to security teams globally.
Fabio Assolini, the head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky, emphasized the long history of Brazilian malware developers in crafting banking Trojans. According to Assolini, these developers have demonstrated creativity in evading security measures and authentication technologies, which is reflected in the innovative features of the Coyote Trojan.
While Coyote currently poses a specific risk to consumers in Brazil, security experts caution that there is a potential for its impact to extend beyond the region. Amid the increasing globalization of cybercrime, the histories of other banking Trojans indicate that they have expanded their reach to target organizations and banks in various countries. Therefore, it is imperative for corporations and financial institutions to brace themselves for a potential wave of attacks involving Coyote.
Moreover, there is a precedent for banking Trojans evolving into more extensive threats, such as initial access Trojans and backdoors. Notably, Coyote has the capability to execute a range of commands, including taking screenshots, logging keystrokes, and manipulating system processes. It can also employ deceptive tactics, such as displaying a false system update message to stymie detection efforts.
Coyote’s use of Squirrel and Nim sets it apart from other banking Trojans, as it eschews traditional methods of evasion. Unlike its counterparts, which rely on Windows Installers (MSI), Coyote exploits Squirrel to disguise its initial stage loader as a benign update package. The final stage loader, written in the relatively obscure Nim programming language, further enhances its ability to evade detection by security software.
Brazil has emerged as a prominent hub for banking Trojans, with malware developers from the country actively seeking to expand their operations worldwide. Brazilian bank Trojans have been observed targeting entities and individuals in locations as distant as Australia and Europe, signifying the global reach of these threats. Even with their distinct global impact, the cybercriminals responsible for these attacks often operate with relative impunity due to the limitations of local law enforcement in Brazil.
The example of Grandoreiro, a similar Trojan that penetrated numerous countries, illustrates the potential for Coyote’s expansion in the international arena. Although the activities of Brazilian cybercriminals have attracted attention from law enforcement agencies in various countries, there are still challenges in holding these individuals accountable. However, efforts to disrupt the cybercriminal infrastructure, as seen in the case of Grandoreiro, demonstrate a growing recognition of the need to combat these threats on a global scale.
In conclusion, the emergence of Coyote and its unique characteristics indicate a growing sophistication in the development of banking Trojans. Its potential for global expansion underscores the need for a coordinated and proactive approach to cybersecurity, with a focus on international collaboration in combating cybercrime. As the threat landscape continues to evolve, organizations, as well as law enforcement agencies, must remain vigilant in addressing the challenges posed by such malicious activities.