Pierluigi Paganini February 04, 2025

Coyote Banking Trojan targets Brazilian users, stealing data from over 70 financial applications and websites.

FortiGuard Labs researchers detected a campaign using LNK files executing PowerShell commands to deploy the Coyote Banking Trojan. Threat actors target Brazilian users by stealing financial data, the malware can harvest sensitive information from over 70 financial applications and numerous websites.

The Coyote Banking Trojan supports multiple malicious functions, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials.

The LNK file runs a PowerShell command that connects to a remote server, triggering the next stage of the Coyote Banking Trojan attack. The researchers analyzed the LNK files’ metadata, including Machine ID and MAC addresses, to trace infections linked to the same threat actor. The script retrieved from the remote server contains encoded data segments, which are decoded and executed to advance the malware’s operation.

“The “bmwiMcDec” DLL file functions as a loader, utilizing VirtualAllocEx and WriteProcessMemory to inject the “npuGDec” payload. It then employs CreateRemoteThread to execute the injected malicious code, facilitating the continuation of the attack.” states the report published by Fortinet. “The injected code leverages Donut, a tool designed to decrypt and execute the final MSIL (Microsoft Intermediate Language) payloads. This ensures seamless delivery and execution of the attack’s next stage.”

The decrypted MSIL file maintains persistence by modifying the Windows registry to execute a PowerShell command that downloads the Coyote Banking Trojan. It gathers system details, including antivirus information, encodes the data, and sends it to a remote server. The malware then executes the PowerShell command from the registry to retrieve and run the final payload.

The Coyote Banking Trojan expands its list of targets to include 1,030 sites and 73 financial agents, including mercadobitcoin.com.br, bitcointrade.com.br, augustoshotel.com.br, and others. Then the malware starts monitoring the active window.

The Coyote Banking Trojan monitors active windows and contacts its C2 servers when a target site is accessed. Then it receives commands from the server, including taking screenshots, simulating key presses, manipulating windows, enabling a keylogger, or shutting down the device. The malware can also display fake overlays, control user-visible windows, and perform automated navigation actions.

“Coyote’s infection process is complex and multi-staged. This attack leveraged an LNK file for initial access, which subsequently led to the discovery of other malicious files. This Trojan poses a significant threat to financial cybersecurity, particularly because it has the potential to expand beyond its initial targets.” concludes the report. “Consequently, it highlights the critical need for robust security measures for both individuals and institutions to safeguard against evolving cyber threats.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)