Coyote Malware Abuses Microsoft’s UI Automation in Wild to Exfiltrate Login Credentials

A groundbreaking cybersecurity threat has emerged as researchers document the first confirmed case of malware exploiting Microsoft’s User Interface Automation (UIA) framework in active attacks.

The Coyote banking trojan, initially discovered in February 2024, has evolved to incorporate this sophisticated technique, marking a significant escalation in malware capabilities and attack methodologies.

The malware specifically targets Brazilian users and financial institutions, leveraging UIA to extract credentials from 75 different banking institutes and cryptocurrency exchanges.

This represents a notable advancement from theoretical proof-of-concept demonstrations to real-world exploitation, validating long-standing concerns about the potential misuse of Microsoft’s accessibility framework.

Coyote operates as a traditional banking trojan but distinguishes itself through its innovative approach to credential harvesting.

The malware employs conventional techniques including keylogging and phishing overlays while utilizing the Squirrel installer for propagation, earning its name from the predator-prey relationship between coyotes and squirrels.

Akamai researchers identified this variant as particularly dangerous due to its ability to operate both online and offline, significantly increasing its effectiveness in identifying and targeting victims’ financial services.

The malware’s infection mechanism demonstrates sophisticated technical execution.

Infection Mechanism – Leveraging Microsoft UI Automation

Initially, Coyote invokes the GetForegroundWindow() Windows API to obtain a handle to the currently active window, then compares the window title against a hardcoded list of targeted banking and cryptocurrency exchange web addresses.

When no direct match occurs, the malware transitions to its UIA exploitation phase. During UIA abuse, Coyote creates a UIAutomation COM object using the foreground window as its top element.

The malware systematically iterates through each sub-element of the foreground application to locate browser tabs or address bars containing relevant financial service URLs.

This process enables Coyote to parse UI child elements across different applications without requiring detailed knowledge of specific application structures.

The malware then cross-references discovered web addresses with its predefined target list which categorizes institutions by type including major Brazilian banks like Banco do Brasil, CaixaBank, and Banco Bradesco, alongside various cryptocurrency platforms.

This UIA implementation provides attackers with a universal solution for accessing sub-elements across multiple applications, representing a concerning evolution in malware sophistication that security professionals must address through enhanced monitoring of UIAutomationCore.dll usage and UIA-related named pipes.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now