New Coyote Trojan Targets 61 Brazilian Banks with Nim-Powered Assault

Feb 09, 2024NewsroomEndpoint Safety / Cryptocurrency

Sixty-one banking establishments, all of them originating from Brazil, are the goal of a brand new banking trojan referred to as Coyote.

“This malware makes use of the Squirrel installer for distribution, leveraging Node.js and a comparatively new multi-platform programming language referred to as Nim as a loader to finish its an infection,” Russian cybersecurity agency Kaspersky mentioned in a Thursday report.

What makes Coyote a distinct breed from different banking trojans of its variety is the usage of the open-source Squirrel framework for putting in and updating Home windows apps. One other notable departure is the shift from Delphi – which is prevalent amongst banking malware households concentrating on Latin America – to an unusual programming language like Nim.

Within the assault chain documented by Kaspersky, a Squirrel installer executable is used as a launchpad for a Node.js software compiled with Electron, which, in flip, runs a Nim-based loader to set off the execution of the malicious Coyote payload by way of DLL side-loading.

The malicious dynamic-link library, named “libcef.dll,” is side-loaded by way of a official executable named “obs-browser-page.exe,” which can also be included within the Node.js challenge. It is price noting that the unique libcef.dll is a part of the Chromium Embedded Framework (CEF).

Coyote, as soon as executed, “screens all open purposes on the sufferer’s system and waits for the precise banking software or web site to be accessed,” subsequently contacting an actor-controlled server to fetch next-stage directives.

It has the aptitude to execute a variety of instructions to take screenshots, log keystrokes, terminate processes, show faux overlays, transfer the mouse cursor to a particular location, and even shut down the machine. It may well additionally outright block the machine with a bogus “Engaged on updates…” message whereas executing malicious actions within the background.

“The addition of Nim as a loader provides complexity to the trojan’s design,” Kaspersky mentioned. “This evolution highlights the rising sophistication throughout the risk panorama and exhibits how risk actors are adapting and utilizing the most recent languages and instruments of their malicious campaigns.”

The event comes as Brazilian legislation enforcement authorities dismantled the Grandoreiro operation and issued 5 short-term arrest warrants and 13 search and seizure warrants for the masterminds behind the malware throughout 5 Brazilian states.

It additionally follows the invention of a brand new Python-based data stealer that is associated to the Vietnamese architects related to MrTonyScam and distributed by way of booby-trapped Microsoft Excel and Phrase paperwork.

The stealer “collects browsers’ cookies and login knowledge […] from a variety of browsers, from acquainted browsers similar to Chrome and Edge to browsers centered on the native market, just like the Cốc Cốc browser,” Fortinet FortiGuard Labs mentioned in a report printed this week.