A new variant of the Coyote banking trojan—one of the most prevalent variants of the Coyote malware family—has been detected, targeting customers in Brazil. Kaspersky first disclosed this new malware variant in early 2024. It has quickly gained notoriety for being the first to exploit the Windows accessibility framework widely known as UI Automation (UIA). By taking advantage of this framework, Coyote is able to harvest sensitive banking information without users realizing they’re in danger.
Coyote’s reach has grown tremendously since then. The hitlist now aims at least 75 unique financial institutions, an increase from the 73 tracked by Fortinet FortiGuard Labs earlier this year. This evolution serves as a clear reminder that the malware is an ever-present danger, especially in the Brazilian banking industry.
Understanding Coyote’s Mechanism
Beyond its advanced capabilities, Coyote carries out primary functions of a banking trojan, most notably targeting user credentials for various banking transactions. Using UI Automation gives Coyote the power to scrape info from apps that are harder to reach by conventional means.
Akamai security researcher Tomer Peled explains the intricate nature of this process:
“Without UIA, parsing the sub-elements of another application is a nontrivial task.” – Akamai
Coyote can seamlessly connect to, and pull data from, virtually any financial software. This combination renders it an incredibly potent weapon against unsuspecting users.
The Impact on Brazilian Financial Institutions
The new version of Coyote is yet another step down in the ugly evolution of malware. By increasing the number of targeted institutions from 73 to 75, Coyote demonstrates an evolving strategy that adapts to the financial landscape. Considering its targeting of Brazilian users, it shows a clear, specific regional threat that has the potential to threaten hundreds of banking transactions.
This targeting reaches individual users each on an astonishing scale. It presents grave dangers to the banking and lending community, jeopardizing the institutions’ reputations and operational integrity.
“The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges.” – Tomer Peled
Coyote in particular is currently abusing UI Automation as part of its malicious operations. This reality leads to deeply troubling questions about the security infrastructure that safeguards consumers and banks. The capacity to accurately interpret the data from sub-elements inside of applications highlights the importance of improved cybersecurity measures.
The Broader Implications for Cybersecurity
This difficulty underscores the importance of constant awareness and training in cybersecurity standards.
Peled further emphasizes the complexity involved in counteracting such threats:
“To be able to effectively read the contents of sub-elements within another application, a developer would need to have a very good understanding of how the specific target application is structured.” – Akamai
This knowledge gap may leave many vulnerable to attacks, underscoring the importance of ongoing vigilance and education in cybersecurity practices.