HomeRisk ManagementsCoyote: A Banking Trojan Exploiting the Squirrel Installer

Coyote: A Banking Trojan Exploiting the Squirrel Installer

Published on

spot_img

A newly discovered banking Trojan known as “Coyote” has been discovered by security researchers. The malware targets users of over 60 banking institutions, mainly in Brazil, making use of a sophisticated infection chain involving advanced technologies such as Squirrel installer, NodeJS, and the Nim programming language. The use of less popular or cross-platform languages by cybercriminals has been identified as a trend in the Crimeware and financial cyberthreats for 2024.

In the traditional landscape of banking Trojans, the use of the Delphi language or MSI installers is a common trend among malware creators. However, the newly discovered Coyote Trojan breaks away from this trend, using the relatively new Squirrel installer for installing and updating Windows desktop applications.

The Squirrel installer presents the initial stage loader as an update packager, effectively hiding the malicious software to blend in with legitimate updates. Furthermore, the malware hides its initial stage loader by running a Node.js application compiled with Electron, executing obfuscated JavaScript code to copy executables and load the malicious payload.

An interesting aspect of the infection chain of Coyote is the utilization of Nim, a relatively new programming language, to load the final stage of the malware. This loader is designed to unpack a .NET executable and execute it in memory using the CLR, which contributes to the sophistication of the Trojan’s design.

Once the Coyote banking Trojan is successfully executed, it achieves persistence by abusing Windows logon scripts and monitors open applications on the victim’s system, waiting for specific banking applications or websites to be accessed. It also establishes communication with its command and control server using SSL channels with a mutual authentication scheme.

At the command and control server, the Trojan sends information collected from the infected machine, including the machine name, a randomly generated GUID, and the banking application being used. In return, the server sends a response packet that contains specific actions for the Trojan to carry out. These actions include taking screenshots, showing fake banking app overlays, displaying full-screen overlays, enabling keyloggers, and capturing user credentials through phishing overlays.

This new banking Trojan marks a significant evolution in the threat landscape, as the developers have showcased their skills by implementing modern technologies such as Node.js, .NET, and advanced packaging techniques. The addition of Nim as a loader adds complexity to the Trojan’s design, highlighting the increasing sophistication within the threat landscape and showing how threat actors are adapting and using the latest languages and tools in their malicious campaigns.

The majority of infections caused by the Coyote banking Trojan have been reported in Brazil, and Kaspersky products detect the threat as HEUR:Trojan-Banker.MSIL.Coyote.gen. Organizations and individuals are advised to take proactive measures and remain vigilant to protect themselves from such threats.

For those seeking more detailed analysis of the latest Coyote versions, Kaspersky offers private Threat Intelligence Reports. Customers can contact crimewareintel@kaspersky.com for more information.

Reference IoCs (indicators of compromise):
Host-based (MD5 hash)
03eacccb664d517772a33255dff96020…
C2 domain list
atendesolucao[.]com
servicoasso[.]com
dowfinanceiro[.]com
centralsolucao[.]com
traktinves[.]com
diadaacaodegraca[.]com
segurancasys[.]com

Source link

Latest articles

Cyber Threat Assessment from securityboulevard.com

systems from cyber threats. By actively engaging in cyber threat assessments and implementing the...

Trillions at Stake as Global Threats Soar, ANZ’s Security Chief Warns

In the face of the escalating global threat posed by cybercrime, industry experts like...

African Infrastructure Cyberattacks and AI-Powered Threats Increase

In 2023, a noticeable decrease in cyber threats was observed in most major economies...

We belong: Q&A with Miriam Saffer – Creative, pragmatic, and resilient.

MIriam Saffer: about being judged or not believed. If an employee trusts you enough...

More like this

Cyber Threat Assessment from securityboulevard.com

systems from cyber threats. By actively engaging in cyber threat assessments and implementing the...

Trillions at Stake as Global Threats Soar, ANZ’s Security Chief Warns

In the face of the escalating global threat posed by cybercrime, industry experts like...

African Infrastructure Cyberattacks and AI-Powered Threats Increase

In 2023, a noticeable decrease in cyber threats was observed in most major economies...
en_USEnglish