Security researchers are warning of a newly identified malware variant that makes use of Microsoft technology to steal bank customer data.
The cybersecurity firm Akamai Technologies says that it has confirmed the first case of a new variant of the Coyote banking trojan maliciously using Microsoft’s UI Automation (UIA) framework “in the wild.”
Says Akamai security researcher Tomer Peled,
“Coyote now leverages UIA as part of its operation. Like any other banking trojan, Coyote is hunting banking information, but what sets Coyote apart is the way it obtains this information, which involves the (ab)use of UIA.”
Peled says that the new variant is targeting Brazilian users by using UIA to “extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges.”
“Coyote can perform checks, regardless of whether the malware is online or operating in an offline mode. This increases the chances of successfully identifying a victim’s bank or crypto exchange and stealing their credentials.
UIA provides several things for an attacker, including a simple solution for malware developers to parse sub-elements of another application.”
The Coyote malware family was first discovered in February 2024, when it was targeting mostly Latin America.
“Coyote is a trojan malware that employs various malicious techniques, such as keylogging and phishing overlays, to steal banking information.
It uses the Squirrel installer to propagate (hence the name ‘Coyote,’ which pays homage to the coyotes’ nature to hunt squirrels). In one of its most well-known campaigns, Coyote targeted Brazilian companies in an attempt to deploy an information stealing Remote Access Trojan within their systems.”
