Sixty-one banking institutions, all of them originating from Brazil, are the target of a new banking trojan called Coyote.
“This malware utilizes the Squirrel installer for distribution, leveraging Node.js and a relatively new multi-platform programming language called Nim as a loader to complete its infection,” Russian cybersecurity firm Kaspersky said in a Thursday report.
What makes Coyote a different breed from other banking trojans of its kind is the use of the open-source Squirrel framework for installing and updating Windows apps. Another notable departure is the shift from Delphi – which is prevalent among banking malware families targeting Latin America – to uncommon programming languages like Nim.
In the attack chain documented by Kaspersky, a Squirrel installer executable is used as a launchpad for a Node.js application compiled with Electron, which, in turn, runs a Nim-based loader to trigger the execution of the malicious Coyote payload by means of DLL side-loading.
The malicious dynamic-link library, named “libcef.dll,” is side-loaded by means of a legitimate executable named “obs-browser-page.exe,” which is also included in the Node.js project. It’s worth noting that the original libcef.dll is part of the Chromium Embedded Framework (CEF).
Coyote, once executed, “monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed,” subsequently contacting an actor-controlled server to fetch next-stage directives.
It has the capability to execute a wide range of commands to take screenshots, log keystrokes, terminate processes, display fake overlays, move the mouse cursor to a specific location, and even shut down the machine. It can also outright block the machine with a bogus “Working on updates…” message while executing malicious actions in the background.
“The addition of Nim as a loader adds complexity to the trojan’s design,” Kaspersky said. “This evolution highlights the increasing sophistication within the threat landscape and shows how threat actors are adapting and using the latest languages and tools in their malicious campaigns.”
The development comes as Brazilian law enforcement authorities dismantled the Grandoreiro operation and issued five temporary arrest warrants and 13 search and seizure warrants for the masterminds behind the malware across five Brazilian states.
It also follows the discovery of a new Python-based information stealer that’s related to the Vietnamese architects associated with MrTonyScam and distributed via booby-trapped Microsoft Excel and Word documents.
The stealer “collects browsers’ cookies and login data […] from a wide range of browsers, from familiar browsers such as Chrome and Edge to browsers focused on the local market, like the Cốc Cốc browser,” Fortinet FortiGuard Labs said in a report published this week.