New Coyote Trojan Targets 61 Brazilian Banks With Nim-Powered Attack

Coyote Banking Trojan

Sixty-one banking institutions, all from Brazil, are being targeted by a new banking Trojan called Coyote.

“This malware uses the Squirrel installer for distribution, using Node.js and a relatively new multi-platform programming language called Nim as a loader to complete the infection,” says Russian cybersecurity company Kaspersky said in a Thursday report.

What makes Coyote different from other banking Trojans of its kind is its use of open source Squirrel framework for installing and updating Windows apps. Another notable departure is the shift from Delphi – common among banking malware families targeting Latin America – to unusual programming languages ​​like Nim.

In the attack chain documented by Kaspersky, a Squirrel installer executable is used as a starting point for a Node.js application compiled with Electron, which in turn runs a Nim-based loader to prevent execution of the malicious Coyote payload to activate by means of DLL side loading.

The malicious dynamic link library, called “libcef.dll”, is side-loaded using a legitimate executable called “obs-browser-page.exe”, which is also included in the Node.js project. It is worth noting that the original libcef.dll is part of the Chromium Embedded Framework (CEF).

Once executed, Coyote “monitors all open applications on the victim’s system and waits for the specific banking application or website to open,” after which it contacts an actor-controlled server to retrieve the next phase instructions .

Coyote Banking Trojan

It has the ability to run a wide range of commands to take screenshots, log keystrokes, end processes, display fake overlays, move the mouse cursor to a specific location and even shut down the machine . It can also completely block the machine with a fake “Working on updates…” message while performing malicious actions in the background.

“The addition of Nim as a loader adds complexity to the Trojan’s design,” Kaspersky said. “This evolution highlights the increasing sophistication within the threat landscape and shows how threat actors are adapting and using the latest languages ​​and tools in their malicious campaigns.”

The development comes as Brazilian law enforcement authorities dismantled the Grandoreiro operation and issued five temporary arrest warrants and thirteen search warrants against the masterminds behind the malware in five Brazilian states.

It also follows the discovery of a new Python-based information thief related to the Vietnamese architects associated with MrTonyScam and spread via booby-trapped Microsoft Excel and Word documents.

The stealer “collects browser cookies and login credentials […] from a wide range of browsers, from well-known browsers such as Chrome and Edge to browsers aimed at the local market, such as the Cốc Cốc browser,” according to Fortinet FortiGuard Labs said in a report published this week.

#Coyote #Trojan #Targets #Brazilian #Banks #NimPowered #Attack

Notify of
Inline Feedbacks
View all comments
Previous Post
Myrror Security

Myrror Security Code-aware and attack-aware SCA

Next Post
Challenges of Cybersecurity

Navigating the challenges of cybersecurity

Related Posts