Windows Banking Trojan, known as Coyote, has become the first known malware strain to harvest sensitive information using a Windows accessibility framework called UI Automation (UIA).
“The new Coyote variant is targeting Brazilian users and uses the UIA to extract web addresses from 75 bank labs and credentials linked to cryptocurrency exchanges.”
First published by Kaspersky in 2024, Coyote is known for targeting Brazilian users. It has the ability to record keystrokes, capture screenshots, and provide overlays on top of login pages related to financial companies.
Part of the Microsoft .NET framework, UIA is a legitimate feature provided by Microsoft that allows screen readers and other assistive technology products to programmatically access user interface (UI) elements on the desktop.
The UIA has pointed out that it could be a potential route for abuse, including data theft, was previously demonstrated as a proof of concept (POC) by Akamai in December 2024, and that Web Infrastructure Company can be used to steal qualifications and execute code.
In a sense, Coyote’s latest modus operandi reflects a variety of Android banking Trojans discovered in the wild, often amassing valuable data using the accessibility services of the operating system.
Akamai’s analysis revealed that the malware calls the GetForeGroundWindow() Windows API to extract the title of the active window and compare it with a hard coding list of web addresses belonging to the target bank and cryptocurrency exchange.
“If no match is found, Coyote uses the UIA to parse the UI child elements of the window to identify the browser tab or address bar,” explained Peredo. “The contents of these UI elements are cross-referenced from the initial comparison with the same list of addresses.”
75 different financial institutions are targeting the latest versions of malware from 73, documented by Fortinet Fortiguard Labs in the beginning of January this year.
“In the absence of UIA, parsing sub-elements from another application is a non-trivial task,” Akamai added. “To be able to effectively read the contents of subelements within another application, developers need to have a very good understanding of the structure of a particular target application.”
“Coyotes can perform checks regardless of whether the malware is online or operating in offline mode. This will ensure that they successfully identify the victim’s bank or crypto exchange and are more likely to steal qualifications.”
Source link
