FortiGuard Labs has raised a significant alarm regarding the Coyote Banking Trojan, a highly sophisticated malware that primarily targets users of Microsoft Windows. Over the past month, researchers have uncovered a series of malicious LNK files that leverage PowerShell commands to execute scripts and establish connections to remote servers, thereby initiating a complex multi-stage attack.
The Coyote Trojan’s primary aim is to extract sensitive information from more than 70 financial applications and a multitude of websites, with a notable impact on users in Brazil. The attack is initiated by an LNK file that runs a PowerShell command to connect to a remote server. This command sets off a chain reaction, leading to the download and execution of further malicious scripts. By delving into the metadata embedded within these LNK files, such as the “Machine ID” and MAC addresses, researchers have successfully traced connections to other harmful files linked to the Coyote Trojan.
Malware Mechanisms
The attack unfolds through a series of stages, employing a blend of loaders, shellcode, and modifications to the Windows registry. A DLL file, identified as “bmwiMcDec,” serves as a loader, injecting malicious payloads into targeted processes through functions like VirtualAllocEx and WriteProcessMemory. The injected code utilizes Donut, a tool designed for decrypting and executing Microsoft Intermediate Language (MSIL) payloads. Once decrypted, the MSIL payload ensures persistence by altering the Windows registry, replacing existing PowerShell commands with new entries that point to Base64-encoded URLs for downloading and executing additional malware components.
Moreover, the Trojan gathers system information, including machine names, usernames, operating systems, and installed antivirus software, transmitting this data to remote servers after encoding it in Base64. The final payload encompasses the main Coyote Banking Trojan, which broadens its target list to over 1,000 websites and 73 financial agents. It actively monitors open windows for access to these targeted sites and communicates with command-and-control (C2) servers via port 443. Depending on directives from the C2 server, the Trojan is capable of executing various actions, such as keylogging, capturing screenshots, displaying phishing overlays, or manipulating user-visible windows.
Implications for Financial Cybersecurity
The emergence of the Coyote Banking Trojan poses a substantial threat to financial cybersecurity, given its advanced techniques and adaptability in targeting. Its ability to monitor user activity and pilfer sensitive credentials underscores the critical need for robust security measures among both individuals and organizations. Fortinet’s security solutions offer a line of defense against this malware, with the FortiGuard Antivirus service effectively detecting and blocking related threats under signatures like “LNK/Agent.D!tr.” Additionally, Fortinet’s Web Filtering Service prevents access to known C2 servers associated with the attack.
Users are strongly encouraged to maintain updated security systems and participate in cybersecurity training to better recognize potential threats. This incident highlights the ever-evolving landscape of cyberattacks aimed at financial institutions and emphasizes the urgent necessity for proactive defenses against intricate multi-stage malware campaigns.
Are you from SOC/DFIR Teams? – Analyze Malware Files & Links with ANY.RUN Sandbox -> Start Now for Free.
