Full Report
A new variant of the banking trojan 'Coyote' has begun abusing a Windows accessibility feature, Microsoft's UI Automation framework, to identify which banking and cryptocurrency exchange sites are accessed on the device for potential credential theft. [...]
Analysis Summary
# Tool/Technique: Coyote Malware
## Overview
Coyote is a malware family observed abusing the Windows User Interface Automation (UIA) framework, which is designed for accessibility purposes, to perform data theft, specifically targeting financial and cryptocurrency applications.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Reconnaissance against specified applications (banks/exchanges), potential credential theft via UIA hooks.
- First Seen: Information not explicitly provided in the text.
## MITRE ATT&CK Mapping
The core functionality described aligns with gathering information about running processes and applications, and potentially capturing user input.
- T1083 - Discovery
- T1083.001 - File and Directory Discovery (Implicit reconnaissance of targets)
- T1056 - Input Capture
- T1056.001 - Keylogging (If UIA is used to capture keystrokes, though the text focuses on enumeration initially)
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files (If data theft involves reading files)
*Note: Since the analysis focuses on abuse of UIA, which can enumerate application fields, the most direct mapping might be related to discovery or harvesting data from specific processes/windows.*
## Functionality
### Core Capabilities
- **Application Reconnaissance:** Specifically targets running processes associated with banking institutions and cryptocurrency exchanges, including: Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Original bank, Sicredi, Banco do Nordeste, Expanse apps, Binance, Electrum, Bitcoin, and Foxbit.
- **Abuse of UIA:** Leverages the Windows Accessibility framework (UIA) to interact with and gather information from these target applications.
### Advanced Features
- **Credential Theft Potential:** Akamai provided a proof-of-concept demonstrating that the UIA abuse mechanism could potentially be extended to steal user-inputted credentials from the targeted sites, even if Coyote's current implementation stops at reconnaissance.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: [Not provided in the article]
- Registry Keys: [Not provided in the article]
- Network Indicators: [No specific C2 indicators provided in the article]
- Behavioral Indicators: Use of Windows User Interface Automation (UIA) APIs to enumerate or interact with application windows belonging to financial/crypto targets.
## Associated Threat Actors
- [Not explicitly named in the article, though Akamai analysis suggests active use.]
## Detection Methods
- Signature-based detection: [Not provided in the article]
- Behavioral detection: Monitoring for atypical usage of the Windows UIA framework targeting sensitive application windows (e.g., banking/exchange applications).
- YARA rules: [Not provided in the article]
## Mitigation Strategies
- Prevention measures: [Not explicitly provided, but implications suggest controlling UIA access if possible, or application hardening.]
- Hardening recommendations: Ensuring applications are built robustly to resist UIA enumeration if they handle sensitive data.
## Related Tools/Techniques
- Malware abusing Android Accessibility Services (Mentioned as a parallel problem Google has addressed).