How Are Cyberattacks Using LNK Files to Target Brazilian Banks?

A new wave of cyberattacks leveraging the Coyote Banking Trojan has been identified, targeting financial institutions in Brazil. This sophisticated malware employs malicious Windows LNK (shortcut) files as an entry point to execute PowerShell scripts, enabling multi-stage infection chains that ultimately result in data theft and system compromise. The attackers utilize a series of complex techniques to evade detection, establish persistence, and exfiltrate sensitive information from affected systems. Understanding the intricacies of these attacks is crucial for developing effective defense strategies and mitigating the risks posed by such threats to the banking sector.

LNK File Exploitation

The attack begins with a malicious LNK file that initiates a stealthy PowerShell command. This command connects to a remote server to download additional payloads. Fortinet researchers noted that the initial PowerShell script used in these attacks initiates the download of encoded shellcode, which is then decoded and executed to load the next stage of the attack. The LNK file is crafted to include malicious arguments in its “Target” field, which upon execution, triggers the embedded PowerShell script.

An example of the target path used in these attacks is: cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File malicious.ps1. The downloaded script decodes two embedded data segments and injects them into memory using Windows API functions like VirtualAllocEx and WriteProcessMemory. This process is facilitated by a loader DLL, which uses CreateRemoteThread to execute the injected code. This method allows the malware to execute without being detected by traditional security measures that scan for malicious files on the disk.

Payload Delivery and Persistence

To ensure continued operation on infected systems, the Coyote malware employs a series of sophisticated persistence mechanisms. The malware modifies the Windows Registry at: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. It creates a new entry with a randomized name pointing to a Base64-encoded PowerShell command designed to execute the payload each time the system starts. This technique ensures that the malware can survive system reboots and remain active over an extended period.

In addition to registry modifications, Coyote establishes secure communication with its command and control (C2) servers using SSL channels. This encrypted communication allows the malware to transmit system information, including machine name, username, and antivirus details, encoded in Base64 and reversed for obfuscation. The malware offers a multitude of capabilities, such as keylogging, screenshot capture, and displaying phishing overlays that mimic banking interfaces. It can also terminate processes, shut down systems, and block user access with deceptive messages like “Working on updates.”

Command and Control (C2) Communication

Coyote’s C2 communication is designed to be both secure and stealthy. The malware uses SSL channels to ensure that the data transmitted between the infected machine and the C2 server is encrypted and less likely to be detected by network security tools. An example URL used by the malware to communicate with C2 servers is: hxxps://yezh[.]geontrigame[.]com/hqizjs/?I=y4CMuADfvJHUgATMgM3dvRmbpdFIOZ2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfzImcoNEfOIDROUI. The information sent includes system details relevant to the attackers, helping them tailor subsequent stages of the attack to the targeted environment.

To further enhance its stealth and complexity, Coyote employs modern programming tools like Nim and Node.js. These tools are less commonly associated with malware development compared to traditional languages like C or C++, which helps the malware evade detection by signature-based antivirus software. The malware also uses DLL side-loading via legitimate executables to avoid detection. For instance, it leverages the Squirrel installer framework for distribution, disguising itself as a legitimate update package to trick users into executing it.

Targeted Institutions and Defense Strategies

A recent surge in cyberattacks involving the Coyote Banking Trojan has been detected, particularly targeting financial institutions in Brazil. This advanced malware operates by using malicious Windows LNK (shortcut) files as a gateway to run PowerShell scripts, which initiate a series of infection stages. These stages lead to data theft and system compromise. The attackers employ a range of sophisticated techniques to avoid detection, maintain long-term access, and siphon off sensitive data from compromised systems.

Financial institutions must understand these complex attack mechanisms to formulate strong defense strategies and reduce the risks these threats pose to the banking sector. This involves comprehending how the Coyote Banking Trojan infiltrates systems, spreads its payloads, and exfiltrates data. By doing so, institutions can better brace themselves against these multifaceted threats and enhance their cybersecurity measures.

Addressing these cyber threats will require ongoing vigilance, advanced security protocols, and a thorough understanding of the evolving tactics used by cybercriminals targeting the financial sector.

Explore more

Can AI Redefine C-Suite Leadership with Digital Avatars?

I’m thrilled to sit down with Ling-Yi Tsai, a renowned HRTech expert with decades of experience in leveraging technology to drive organizational change. Ling-Yi specializes in HR analytics and the integration of cutting-edge tools across recruitment, onboarding, and talent management. Today, we’re diving into a groundbreaking development in the AI space: the creation of an AI avatar of a CEO,

Cash App Pools Feature – Review

Imagine planning a group vacation with friends, only to face the hassle of tracking who paid for what, chasing down contributions, and dealing with multiple payment apps. This common frustration in managing shared expenses highlights a growing need for seamless, inclusive financial tools in today’s digital landscape. Cash App, a prominent player in the peer-to-peer payment space, has introduced its

Scowtt AI Customer Acquisition – Review

In an era where businesses grapple with the challenge of turning vast amounts of data into actionable revenue, the role of AI in customer acquisition has never been more critical. Imagine a platform that not only deciphers complex first-party data but also transforms it into predictable conversions with minimal human intervention. Scowtt, an AI-native customer acquisition tool, emerges as a

Hightouch Secures Funding to Revolutionize AI Marketing

Imagine a world where every marketing campaign speaks directly to an individual customer, adapting in real time to their preferences, behaviors, and needs, with outcomes so precise that engagement rates soar beyond traditional benchmarks. This is no longer a distant dream but a tangible reality being shaped by advancements in AI-driven marketing technology. Hightouch, a trailblazer in data and AI

How Does Collibra’s Acquisition Boost Data Governance?

In an era where data underpins every strategic decision, enterprises grapple with a staggering reality: nearly 90% of their data remains unstructured, locked away as untapped potential in emails, videos, and documents, often dubbed “dark data.” This vast reservoir holds critical insights that could redefine competitive edges, yet its complexity has long hindered effective governance, making Collibra’s recent acquisition of