Coyote Banking Trojan Targets Dozens of Apps

Researchers have identified a new banking Trojan named "Coyote" designed to target credentials for 61 online banking applications. Analysis reveals that Coyote, primarily affecting the banking sector in Brazil, stands out for its wide-ranging targeting and the intricate integration of various basic and advanced components.

Notably, it employs a new open source installer called Squirrel, along with NodeJs, the programming language "Nim," and over a dozen malicious functionalities. This Trojan marks a significant evolution in Brazil's financial malware landscape, posing potential challenges for security teams if it expands its scope.

Coyote Could Evolve Similar to Emotet

While currently focused on Brazil, there are concerns that Coyote could broaden its impact. Previous instances with other malware families, such as Emotet and Trickbot, highlight the tendency of banking Trojans to evolve into comprehensive initial access Trojans and backdoors.

Coyote exhibits typical banking Trojan behavior by connecting to an attacker-controlled command-and-control server when triggered on an infected device. It then displays a phishing overlay on the victim's screen to capture login information when a compatible app is activated.

What sets Coyote apart is its effort to avoid detection, using the open source tool Squirrel to disguise its initial stage loader and employing the relatively uncommon programming language "Nim" for its final stage loader.

This unique approach poses challenges for cybersecurity defenders, as Coyote diverges from the common use of Windows Installers by other banking Trojans. Security teams are urged to remain vigilant, considering the historical trend of such threats expanding beyond their initial targets.