This stealthy alteration enables the threat actors to harvest credentials and one-time passwords. This also allows them to bypass the security protections and gain unauthorized access to the user accounts.
Cybersecurity analysts at Kaspersky Labs recently discovered Coyote malware that leverages the NodeJS to attack users of more than 60 banks.
Live Account Takeover Attack Simulation
How do Hackers Bypass 2FA?
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks
Coyote Malware Leverage NodeJS
Banking Trojan developers innovate in distributing malware. A recent discovery of “Coyote” malware targets over 60 Brazilian banks with a unique infection chain.
It deploys the Squirrel installer by utilizing NodeJS and Nim programming language as a loader, an emerging cross-platform language that sets it apart from known Trojan infections.
Banking Trojans often utilize Delphi or MSI installers for initial infections, but Coyote breaks the mold by adopting Squirrel, a newer Windows app installation tool.
Squirrel simplifies installation and updates using NuGet packages, making it accessible even to those familiar with package management.
The signed application associated with Chrome and OBS Studio loads the banker through DLL sideloading in the libcef.dll library.
Coyote unpacks a .NET executable and executes it in memory that resembles the Donut’s operation. While the obs-browser-page.exe ensures persistence across reboots.
Coyote employs AES-encrypted string obfuscation without code obfuscation, decrypting strings using a custom IV and Windows logon scripts for persistence.
When a banking app runs, Coyote contacts its C2 and performs keylogging and screenshots after receiving responses.
The Trojan establishes SSL communication with mutual authentication by decrypting an encrypted certificate from the attacker’s server. After verification, it sends the collected information to the server.
Here below, we have mentioned all the information transmitted:-
- Machine name
- Randomly generated GUID
- Banking applications being used
Coyote represents a shift in Brazilian banking Trojans by employing modern technologies like Node.js, .NET, and Nim, which diverge from older languages like Delphi.
This evolution underscores the growing sophistication in the threat landscape, with up to 90% of infections originating from Brazil, demonstrating threat actors’ adaptation to the latest languages and tools.
Host-based (MD5 hash):
- 03 eacccb664d517772a33255dff96020
C2 domain list:
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.