Researchers have discovered a new banking Trojan they’ve nicknamed “Coyote,” which searches for credentials for 61 different online banking applications.
“Coyote”, detailed by Kaspersky in an analysis today, it stands out both for its broad target of banking apps (mostly, for now, in Brazil), and for its sophisticated interweaving of several rudimentary and advanced components: a relatively new open source installer called Squirrel ; NodeJ; an unknown programming language called “Nim”; and more than a dozen malicious features. Overall, it represents a notable evolution in Brazil’s thriving financial malware market and could spell big trouble for security teams if it expands its focus.
“They have been developing banking Trojans for more than 20 years: they started in 2000,” says Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky, the Brazilian malware developers. “In 24 years of developing and bypassing new authentication methods and new protection technologies, they have been very creative and you can see it now with this newest Trojan.”
For now, this may be a Brazil-focused consumer threat, but as mentioned, there are clear reasons why organizations should be aware of Coyote. First of all, as Assolini warns, “the malware families that in the past were successful in the Brazilian market have also expanded abroad. This is why companies and banks must be prepared to face it.”
And another reason why security teams pay attention to the emergence of new banking Trojans is their history evolving into true early access Trojans and backdoors; this was the case with Emotet e Trickbot, for exampleand more recently, QakBot AND Ursinif.
Coyote has behind-the-scenes functionality to follow suit: It can execute a variety of commands, including directives to take screenshots, record keystrokes, kill processes, shut down the machine, and move the cursor. He can also completely crash the machine with a fake “Working on updates…” overlay.
The Coyote Trojan runs with Squirrel and Nim
So far in its attacks, Coyote behaves like any other modern banking Trojan: when a compatible application is activated on an infected machine, the malware sends a ping to a command and control (C2) server controlled by the attacker and displays an appropriate phishing overlay on the victim’s computer. screen to capture a user’s login information. Coyote stands out above all for the way it combats potential detection.
Most banking Trojans use Windows Installer (MSI), Kaspersky noted in its blog post, making them an easy wake-up call for cybersecurity defenders. That’s why Coyote opts for Squirrel, a legitimate open source tool for installing and updating Windows desktop apps. Using Squirrel, Coyote attempts to disguise its malicious early stage loader as a perfectly honest update package builder.
>Its final stage loader is even more unique, as it is written in a relatively niche programming language called “Nim”. This is the first banking Trojan that Kaspersky has identified using Nim.
“Most of the old banking Trojans were written in Delphi, which is quite old and used in many families. Therefore, over the years, Delphi malware detection has become very good, and the infection efficiency has slowed down over the years years,” explains Assolini. With Nim, “they have a more modern language to program with new features and a low rate of detection by security software.”
Brazilian banking Trojans are a global problem
If Coyote has to do so much to stand out, it’s because the world’s fifth-largest nation has become the world’s leading hub for banking malware in recent years.
And as much as these programs terrify Brazilians, they also have a habit of doing so crossing bodies of water.
“These guys have a lot of experience developing banking Trojans and are eager to expand their attacks worldwide,” Assolini points out. “Right now we can find Brazilian banking Trojans attacking companies and people even in countries as far away as Australia and Europe. This week, a member of my team found a new version in Italy.”
To demonstrate the future potential of a tool like Coyote, point to Assolini Grandoreiro, to the similar Trojan which made inroads in Mexico and Spain but also far beyond. By the end of last fall, she says, it had reached a total of 41 countries.
A byproduct of that success, however, was greater control by the police. In an attempt to disrupt the free flow of the cyber underground for this type of malware, Brazilian police made an unusual move: they executed five temporary arrest warrants and 13 search and seizure warrants for the architects behind Grandoreiro in five Brazilian states.
“The problem in Brazil is that they don’t have very effective local law enforcement to punish these attackers. It works better when there is an entity outside the country that exerts some pressure, as happened with Granadoreiro, when the police and the banks in Spain were putting pressure on the Brazilian federal police to capture these guys,” says Assolini.
So, he concludes, “they are improving, but there is still a long way to go, because many cyber criminals are still free” [in Brazil] and committing many attacks around the world.”