A new wave of cyberattacks leveraging the Coyote Banking Trojan has been identified, targeting financial institutions in Brazil. This sophisticated malware employs malicious Windows LNK (shortcut) files as an entry point to execute PowerShell scripts, enabling multi-stage infection chains that ultimately result in data theft and system compromise. The attackers utilize a series of complex techniques to evade detection, establish persistence, and exfiltrate sensitive information from affected systems. Understanding the intricacies of these attacks is crucial for developing effective defense strategies and mitigating the risks posed by such threats to the banking sector.
LNK File Exploitation
The attack begins with a malicious LNK file that initiates a stealthy PowerShell command. This command connects to a remote server to download additional payloads. Fortinet researchers noted that the initial PowerShell script used in these attacks initiates the download of encoded shellcode, which is then decoded and executed to load the next stage of the attack. The LNK file is crafted to include malicious arguments in its “Target” field, which upon execution, triggers the embedded PowerShell script.
An example of the target path used in these attacks is: cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File malicious.ps1. The downloaded script decodes two embedded data segments and injects them into memory using Windows API functions like VirtualAllocEx and WriteProcessMemory. This process is facilitated by a loader DLL, which uses CreateRemoteThread to execute the injected code. This method allows the malware to execute without being detected by traditional security measures that scan for malicious files on the disk.
Payload Delivery and Persistence
To ensure continued operation on infected systems, the Coyote malware employs a series of sophisticated persistence mechanisms. The malware modifies the Windows Registry at: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. It creates a new entry with a randomized name pointing to a Base64-encoded PowerShell command designed to execute the payload each time the system starts. This technique ensures that the malware can survive system reboots and remain active over an extended period.
In addition to registry modifications, Coyote establishes secure communication with its command and control (C2) servers using SSL channels. This encrypted communication allows the malware to transmit system information, including machine name, username, and antivirus details, encoded in Base64 and reversed for obfuscation. The malware offers a multitude of capabilities, such as keylogging, screenshot capture, and displaying phishing overlays that mimic banking interfaces. It can also terminate processes, shut down systems, and block user access with deceptive messages like “Working on updates.”
Command and Control (C2) Communication
Coyote’s C2 communication is designed to be both secure and stealthy. The malware uses SSL channels to ensure that the data transmitted between the infected machine and the C2 server is encrypted and less likely to be detected by network security tools. An example URL used by the malware to communicate with C2 servers is: hxxps://yezh[.]geontrigame[.]com/hqizjs/?I=y4CMuADfvJHUgATMgM3dvRmbpdFIOZ2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfzImcoNEfOIDROUI. The information sent includes system details relevant to the attackers, helping them tailor subsequent stages of the attack to the targeted environment.
To further enhance its stealth and complexity, Coyote employs modern programming tools like Nim and Node.js. These tools are less commonly associated with malware development compared to traditional languages like C or C++, which helps the malware evade detection by signature-based antivirus software. The malware also uses DLL side-loading via legitimate executables to avoid detection. For instance, it leverages the Squirrel installer framework for distribution, disguising itself as a legitimate update package to trick users into executing it.
Targeted Institutions and Defense Strategies
A recent surge in cyberattacks involving the Coyote Banking Trojan has been detected, particularly targeting financial institutions in Brazil. This advanced malware operates by using malicious Windows LNK (shortcut) files as a gateway to run PowerShell scripts, which initiate a series of infection stages. These stages lead to data theft and system compromise. The attackers employ a range of sophisticated techniques to avoid detection, maintain long-term access, and siphon off sensitive data from compromised systems.
Financial institutions must understand these complex attack mechanisms to formulate strong defense strategies and reduce the risks these threats pose to the banking sector. This involves comprehending how the Coyote Banking Trojan infiltrates systems, spreads its payloads, and exfiltrates data. By doing so, institutions can better brace themselves against these multifaceted threats and enhance their cybersecurity measures.
Addressing these cyber threats will require ongoing vigilance, advanced security protocols, and a thorough understanding of the evolving tactics used by cybercriminals targeting the financial sector.