How Are Cyberattacks Using LNK Files to Target Brazilian Banks?

A new wave of cyberattacks leveraging the Coyote Banking Trojan has been identified, targeting financial institutions in Brazil. This sophisticated malware employs malicious Windows LNK (shortcut) files as an entry point to execute PowerShell scripts, enabling multi-stage infection chains that ultimately result in data theft and system compromise. The attackers utilize a series of complex techniques to evade detection, establish persistence, and exfiltrate sensitive information from affected systems. Understanding the intricacies of these attacks is crucial for developing effective defense strategies and mitigating the risks posed by such threats to the banking sector.

LNK File Exploitation

The attack begins with a malicious LNK file that initiates a stealthy PowerShell command. This command connects to a remote server to download additional payloads. Fortinet researchers noted that the initial PowerShell script used in these attacks initiates the download of encoded shellcode, which is then decoded and executed to load the next stage of the attack. The LNK file is crafted to include malicious arguments in its “Target” field, which upon execution, triggers the embedded PowerShell script.

An example of the target path used in these attacks is: cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File malicious.ps1. The downloaded script decodes two embedded data segments and injects them into memory using Windows API functions like VirtualAllocEx and WriteProcessMemory. This process is facilitated by a loader DLL, which uses CreateRemoteThread to execute the injected code. This method allows the malware to execute without being detected by traditional security measures that scan for malicious files on the disk.

Payload Delivery and Persistence

To ensure continued operation on infected systems, the Coyote malware employs a series of sophisticated persistence mechanisms. The malware modifies the Windows Registry at: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. It creates a new entry with a randomized name pointing to a Base64-encoded PowerShell command designed to execute the payload each time the system starts. This technique ensures that the malware can survive system reboots and remain active over an extended period.

In addition to registry modifications, Coyote establishes secure communication with its command and control (C2) servers using SSL channels. This encrypted communication allows the malware to transmit system information, including machine name, username, and antivirus details, encoded in Base64 and reversed for obfuscation. The malware offers a multitude of capabilities, such as keylogging, screenshot capture, and displaying phishing overlays that mimic banking interfaces. It can also terminate processes, shut down systems, and block user access with deceptive messages like “Working on updates.”

Command and Control (C2) Communication

Coyote’s C2 communication is designed to be both secure and stealthy. The malware uses SSL channels to ensure that the data transmitted between the infected machine and the C2 server is encrypted and less likely to be detected by network security tools. An example URL used by the malware to communicate with C2 servers is: hxxps://yezh[.]geontrigame[.]com/hqizjs/?I=y4CMuADfvJHUgATMgM3dvRmbpdFIOZ2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfzImcoNEfOIDROUI. The information sent includes system details relevant to the attackers, helping them tailor subsequent stages of the attack to the targeted environment.

To further enhance its stealth and complexity, Coyote employs modern programming tools like Nim and Node.js. These tools are less commonly associated with malware development compared to traditional languages like C or C++, which helps the malware evade detection by signature-based antivirus software. The malware also uses DLL side-loading via legitimate executables to avoid detection. For instance, it leverages the Squirrel installer framework for distribution, disguising itself as a legitimate update package to trick users into executing it.

Targeted Institutions and Defense Strategies

A recent surge in cyberattacks involving the Coyote Banking Trojan has been detected, particularly targeting financial institutions in Brazil. This advanced malware operates by using malicious Windows LNK (shortcut) files as a gateway to run PowerShell scripts, which initiate a series of infection stages. These stages lead to data theft and system compromise. The attackers employ a range of sophisticated techniques to avoid detection, maintain long-term access, and siphon off sensitive data from compromised systems.

Financial institutions must understand these complex attack mechanisms to formulate strong defense strategies and reduce the risks these threats pose to the banking sector. This involves comprehending how the Coyote Banking Trojan infiltrates systems, spreads its payloads, and exfiltrates data. By doing so, institutions can better brace themselves against these multifaceted threats and enhance their cybersecurity measures.

Addressing these cyber threats will require ongoing vigilance, advanced security protocols, and a thorough understanding of the evolving tactics used by cybercriminals targeting the financial sector.

Explore more

Digital Transformation Challenges – Review

Imagine a boardroom where executives, once brimming with optimism about technology-driven growth, now grapple with mounting doubts as digital initiatives falter under the weight of complexity. This scenario is not a distant fiction but a reality for 65% of business leaders who, according to recent research, are losing confidence in delivering value through digital transformation. As organizations across industries strive

Understanding Private APIs: Security and Efficiency Unveiled

In an era where data breaches and operational inefficiencies can cripple even the most robust organizations, the role of private APIs as silent guardians of internal systems has never been more critical, serving as secure conduits between applications and data. These specialized tools, designed exclusively for use within a company, ensure that sensitive information remains protected while workflows operate seamlessly.

How Does Storm-2603 Evade Endpoint Security with BYOVD?

In the ever-evolving landscape of cybersecurity, a new and formidable threat actor has emerged, sending ripples through the industry with its sophisticated methods of bypassing even the most robust defenses. Known as Storm-2603, this ransomware group has quickly gained notoriety for its innovative use of custom malware and advanced techniques that challenge traditional endpoint security measures. Discovered during a major

Samsung Rolls Out One UI 8 Beta to Galaxy S24 and Fold 6

Introduction Imagine being among the first to experience cutting-edge smartphone software, exploring features that redefine user interaction and security before they reach the masses. Samsung has sparked excitement among tech enthusiasts by initiating the rollout of the One UI 8 Beta, based on Android 16, to select devices like the Galaxy S24 series and Galaxy Z Fold 6. This beta

Broadcom Boosts VMware Cloud Security and Compliance

In today’s digital landscape, where cyber threats are intensifying at an alarming rate and regulatory demands are growing more intricate by the day, Broadcom has introduced groundbreaking enhancements to VMware Cloud Foundation (VCF) to address these pressing challenges. Organizations, especially those in regulated industries, face unprecedented risks as cyberattacks become more sophisticated, often involving data encryption and exfiltration. With 65%