A newly discovered banking Trojan known as “Coyote” has been discovered by security researchers. The malware targets users of over 60 banking institutions, mainly in Brazil, making use of a sophisticated infection chain involving advanced technologies such as Squirrel installer, NodeJS, and the Nim programming language. The use of less popular or cross-platform languages by cybercriminals has been identified as a trend in the Crimeware and financial cyberthreats for 2024.
In the traditional landscape of banking Trojans, the use of the Delphi language or MSI installers is a common trend among malware creators. However, the newly discovered Coyote Trojan breaks away from this trend, using the relatively new Squirrel installer for installing and updating Windows desktop applications.
The Squirrel installer presents the initial stage loader as an update packager, effectively hiding the malicious software to blend in with legitimate updates. Furthermore, the malware hides its initial stage loader by running a Node.js application compiled with Electron, executing obfuscated JavaScript code to copy executables and load the malicious payload.
An interesting aspect of the infection chain of Coyote is the utilization of Nim, a relatively new programming language, to load the final stage of the malware. This loader is designed to unpack a .NET executable and execute it in memory using the CLR, which contributes to the sophistication of the Trojan’s design.
Once the Coyote banking Trojan is successfully executed, it achieves persistence by abusing Windows logon scripts and monitors open applications on the victim’s system, waiting for specific banking applications or websites to be accessed. It also establishes communication with its command and control server using SSL channels with a mutual authentication scheme.
At the command and control server, the Trojan sends information collected from the infected machine, including the machine name, a randomly generated GUID, and the banking application being used. In return, the server sends a response packet that contains specific actions for the Trojan to carry out. These actions include taking screenshots, showing fake banking app overlays, displaying full-screen overlays, enabling keyloggers, and capturing user credentials through phishing overlays.
This new banking Trojan marks a significant evolution in the threat landscape, as the developers have showcased their skills by implementing modern technologies such as Node.js, .NET, and advanced packaging techniques. The addition of Nim as a loader adds complexity to the Trojan’s design, highlighting the increasing sophistication within the threat landscape and showing how threat actors are adapting and using the latest languages and tools in their malicious campaigns.
The majority of infections caused by the Coyote banking Trojan have been reported in Brazil, and Kaspersky products detect the threat as HEUR:Trojan-Banker.MSIL.Coyote.gen. Organizations and individuals are advised to take proactive measures and remain vigilant to protect themselves from such threats.
For those seeking more detailed analysis of the latest Coyote versions, Kaspersky offers private Threat Intelligence Reports. Customers can contact crimewareintel@kaspersky.com for more information.
Reference IoCs (indicators of compromise):
Host-based (MD5 hash)
03eacccb664d517772a33255dff96020…
C2 domain list
atendesolucao[.]com
servicoasso[.]com
dowfinanceiro[.]com
centralsolucao[.]com
traktinves[.]com
diadaacaodegraca[.]com
segurancasys[.]com
English 
Albanian 
Serbian 
Croatian 