Over the past month, cybersecurity experts at FortiGuard Labs have identified a series of malicious Windows Shortcut (LNK) files containing PowerShell commands. These files serve as the initial stage of a sophisticated cyberattack aimed at delivering the Coyote Banking Trojan, a malware strain that primarily targets users in Brazil. Designed to steal sensitive financial information, Coyote is a great danger to online banking security, and an indication that this type of threat continues to evolve.
How Does Coyote Banking Trojan Work?
Coyote operates through a multi-stage infection process. Initially, an unsuspecting user executes an LNK file, which runs a PowerShell command that connects to a remote server. This command retrieves another PowerShell script, which in turn downloads and executes a loader responsible for deploying the main malware payload.
The injected malicious code utilizes Donut, a well-known tool for decrypting and executing Microsoft Intermediate Language (MSIL) payloads. Once decrypted, the MSIL file modifies the Windows registry to ensure persistence. This means that even if the system is restarted, the malware remains active. The Trojan also downloads a Base64-encoded URL, further executing its core functions.
Once Coyote is successfully deployed, it gathers critical system information and scans for installed antivirus software. The collected data is encoded and transmitted to a remote server controlled by the attackers. Coyote is designed to avoid detection by checking if it is running in a virtual or sandboxed environment, making it more challenging for cybersecurity researchers to analyze its behavior.
Among its many malicious capabilities, Coyote can:
- Log keystrokes to capture sensitive user credentials.
- Take screenshots of the victim’s screen.
- Display phishing overlays on legitimate banking websites to steal login information.
- Manipulate the system’s display settings to mislead users.
Coyote Banking Trojan Target List
Recent findings indicate that Coyote’s list of targeted entities has grown significantly. Initially focused on 70 financial applications, the malware now targets over 1,000 websites and 73 financial institutions. Some of these include well-known Brazilian financial platforms such as mercadobitcoin.com.br, bitcointrade.com.br, and foxbit.com.br. In addition to financial institutions, Coyote has also been found targeting hospitality-related websites like augustoshotel.com.br, blumenhotelboutique.com.br, and fallshotel.com.br.
When a victim attempts to access any of these targeted sites, the malware communicates with an attacker-controlled server to determine its next course of action. Depending on the instructions received, Coyote may capture screenshots, activate a keylogger, or display deceptive overlays designed to trick users into providing sensitive information.
Coyote’s infection process is both complex and effective, making it a serious threat to online banking security in Brazil. Its ability to expand beyond its initial target list suggests that the malware may continue evolving to target additional financial institutions and regions.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: