Sixty-one banking institutions, all originating from Brazil, are the target of a new banking trojan called Coyote.
“This malware uses the Squirrel installer for distribution, leveraging Node.js and a relatively new cross-platform programming language called Nim as a loader to complete the infection,” Russian cybersecurity firm Kaspersky said in a report on Thursday .
What makes Coyote a breed different from other banking Trojans of its kind is the use of the open source Squirrel framework for installing and updating Windows apps. Another notable difference is the move from Delphi – which is prevalent among banking malware families targeting Latin America – to an unusual programming language like Nim.
In the attack chain documented by Kaspersky, a Squirrel installer executable is used as a launchpad for a Node.js application compiled with Electron, which, in turn, runs a Nim-based loader to trigger execution of the malicious payload Coyote via Side Loading DLL.
The malicious dynamic link library, named “libcef.dll”, is transferred via a legitimate executable named “obs-browser-page.exe”, which is also included in the Node.js project. It is worth noting that the original libcef.dll is part of Chromium Embedded Framework (CEF).
Coyote, once executed, “monitors all open applications on the victim’s system and waits for access to the specific banking application or website,” subsequently contacting a server controlled by the actor to retrieve next-stage directives.
It has the ability to execute a wide range of commands to take screenshots, record keystrokes, kill processes, display fake overlays, move the mouse cursor to a specific location, and even shut down the machine. It can also completely freeze your machine with a fake “Working on updates…” message while performing malicious actions in the background.
“The addition of Nim as a loader adds complexity to the Trojan’s design,” Kaspersky said. “This evolution highlights the growing sophistication of the threat landscape and shows how threat actors are adapting and using the latest languages and tools in their malicious campaigns.”
The development comes as Brazilian law enforcement dismantled Operation Grandoreiro and issued five temporary arrest warrants and 13 search and seizure warrants for the masterminds behind the malware in five Brazilian states.
It also follows the discovery of a new Python-based information stealer related to Vietnamese architects associated with MrTonyScam and distributed via booby-trapped Microsoft Excel and Word documents.
The thief “collects browser cookies and login data […] from a wide range of browsers, from familiar browsers such as Chrome and Edge to browsers focused on the local market, such as the Cốc Cốc browser,” Fortinet FortiGuard Labs said in a report published this week.