- Banking Trojan Coyote now abuses
- The frame allows you to detect when a person opens a banking site
- You can refer crossing the data in the browser with a coded list of banking and cryptographic applications
Coyote, a well -known malware from bank trly capable of attacking dozens of cryptographic and banking applications, has been updated to identify cryptographic exchanges and bank accounts open in the web browser, experts have warned.
Akamai cybersecurity researchers, who have been warning about Coyote since December 2024, pointed out how in previous iterations, Coyote would record the keys or present Phishing overlapping, to exfilt the login information for 75 banking and cryptocurrency exchange. However, if a user opened these accounts in the browser, Coyote would not be activated.
However, this new variant abuses the automation frame of the Microsoft user interface to identify which bank and cryptographic exchange sites also opened the victim in its browser.
Brazilians in the sights
Microsoft’s UI (UIA) automation framework is an accessibility system that helps software to interact with Windows applications.
It is especially useful for things such as screen readers and automated tests, since it allows the programs to “see” the buttons, menus and other parts of an application, and even click or read them.
According to Akamai, Coyote can now use UIA to read the web address found in the tabs or the browser addresses, and then compare the results with a encoded list of 75 specific services. If you find a coincidence, you will use UIA to analyze the children’s elements of the user interface, trying to find which tabs or steering bars.
“The content of these elements of the user interface is cross reference with the same list of addresses of the first comparison,” they explained.
Akamai says that Coyote is mainly addressed to Brazilian users. The banks that are usually later are Banco Do Brazil, CaixaBank, Banco Bradesco, Santander, Original Bank, Sicredi, Banco Do Norteste, expansion applications and different cryptographic exchanges (Binance, Electrum, Bitcoin, Foxbit and more).
The researchers first warned that the UIA was abused in the theft of credentials at the end of last year, and now their predictions seem to have come true, since Coyote is apparently the first to use this tactic in nature.
Through Bleepingcomputer
