Brazil’s Windows users are the target of a campaign that provides banks, known as Coyote.
“Once it is deployed, the Koyote Banking Trojan horses can run various malicious activities, including key logs, screenshots captures, and phishing overlays.
Cyber Security has found some Windows shortcuts (LNK) file artifacts, including the PowerShell commands in charge of distribution of malware for the past month.
Coyote was first recorded by Kaspersky in early 2024 and detailed attacks targeting users in Southern America. You can harvest sensitive information from more than 70 financial applications.
Previous attack chains, which were documented by Russian cyber security companies, triggers a resinstaller executable file and triggers an electronic and compiled nodes. 。
On the other hand, the latest infection sequence starts with an LNK file that runs the PowerShell command and gets the following steps from the remote server (“tbet.geontrigame)[.]Com “) Another PowerShell script that launches a loader in charge of execution of the provisional payload.
“The injected code will leverage the donut, a tool designed to decrypt and execute the final Msil (Microsoft International Language) payload,” Lin said. The decrypted MSIL execution file is first established by changing the registry in “HCKU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run”. “
“If found, delete the existing entry and create a new entry with randomly generated names. This new registry entry refers to downloading and executing the Base64 encoding URL. Included.
When the malware is launched, the list of the basic system information and the list of virus measures installed on the host, then the data is Base64 encoded and excluded to the remote server. Also, perform various checks to avoid detection by sandboxes and virtual environments.
Notable changes in coyote’s latest itelation include 73 financial agents, including 1,030 sites and 73 financial agents such as MercadoBitCoin.com.Br, BitCointrade.com.BR, Foxbit.com.BR, and Augustostel.com.BR. It is to extend it like. , BlumenhotelBoutique.com.b, and Fallshotel.com.B.
If the victim tries to access one of the sites in the list, the malware will contact the attacker control server and determine the next action course from screenshot capture to overlay. Other functions include key logger activation and display settings.
“The coyote infection process is complicated and multi -stage,” Lin said. “This attack has leveraged LNK files for initial access, and has led to the discovery of other malicious files. This Trojan horses can be expanded beyond the initial target. It has a great threat to financial cyber security.
Source link
