New Coyote Trojan Targets 61 Brazilian Banks with Nim-Powered Assault

Feb 09, 2024NewsroomEndpoint Safety / Cryptocurrency

Sixty-one banking establishments, all of them originating from Brazil, are the goal of a brand new banking trojan known as Coyote.

“This malware utilizes the Squirrel installer for distribution, leveraging Node.js and a relatively new multi-platform programming language called Nim as a loader to complete its infection,” Russian cybersecurity agency Kaspersky said in a Thursday report.

What makes Coyote a unique breed from other banking trojans of its variety is the usage of the open-source Squirrel framework for putting in and updating Home windows apps. One other notable departure is the shift from Delphi – which is prevalent amongst banking malware households concentrating on Latin America – to unusual programming languages like Nim.


Within the assault chain documented by Kaspersky, a Squirrel installer executable is used as a launchpad for a Node.js utility compiled with Electron, which, in flip, runs a Nim-based loader to set off the execution of the malicious Coyote payload by way of DLL side-loading.

The malicious dynamic-link library, named “libcef.dll,” is side-loaded by way of a respectable executable named “obs-browser-page.exe,” which can also be included within the Node.js challenge. It is value noting that the unique libcef.dll is a part of the Chromium Embedded Framework (CEF).

Coyote, as soon as executed, “monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed,” subsequently contacting an actor-controlled server to fetch next-stage directives.

Coyote Banking Trojan

It has the potential to execute a variety of instructions to take screenshots, log keystrokes, terminate processes, show pretend overlays, transfer the mouse cursor to a selected location, and even shut down the machine. It could additionally outright block the machine with a bogus “Working on updates…” message whereas executing malicious actions within the background.

“The addition of Nim as a loader adds complexity to the trojan’s design,” Kaspersky stated. “This evolution highlights the increasing sophistication within the threat landscape and shows how threat actors are adapting and using the latest languages and tools in their malicious campaigns.”


The event comes as Brazilian regulation enforcement authorities dismantled the Grandoreiro operation and issued 5 non permanent arrest warrants and 13 search and seizure warrants for the masterminds behind the malware throughout 5 Brazilian states.

It additionally follows the invention of a brand new Python-based info stealer that is associated to the Vietnamese architects related to MrTonyScam and distributed through booby-trapped Microsoft Excel and Phrase paperwork.

The stealer “collects browsers’ cookies and login data […] from a wide range of browsers, from familiar browsers such as Chrome and Edge to browsers focused on the local market, like the Cốc Cốc browser,” Fortinet FortiGuard Labs said in a report printed this week.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.

Author: (The Hacker Information)
Date: 2024-02-09 05:28:00

Source link



Related articles

Alina A, Toronto
Alina A, Toronto
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.


Please enter your comment!
Please enter your name here