In banking attacks, threat actors actively exploit the NodeJS to steal the online banking credentials of the targeted users. Threat actors use JavaScript web injections to alter the login page of a bank’s website.
This stealthy alteration enables the threat actors to harvest credentials and one-time passwords. This also allows them to bypass the security protections and gain unauthorized access to the user accounts.
Cybersecurity analysts at Kaspersky Labs recently discovered Coyote malware that leverages the NodeJS to attack users of more than 60 banks.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks
.
Coyote Malware Leverage NodeJS
Banking Trojan developers innovate in distributing malware. A recent discovery of “Coyote” malware targets over 60 Brazilian banks with a unique infection chain.
It deploys the Squirrel installer by utilizing NodeJS and Nim programming language as a loader, an emerging cross-platform language that sets it apart from known Trojan infections.
Banking Trojans often utilize Delphi or MSI installers for initial infections, but Coyote breaks the mold by adopting Squirrel, a newer Windows app installation tool.
Squirrel simplifies installation and updates using NuGet packages, making it accessible even to those familiar with package management.
Coyote cleverly hides its loader using Squirrel as an update packager. Squirrel triggers a NodeJS application in Electron by executing obfuscated JavaScript to copy executables to the user’s folder.
The signed application associated with Chrome and OBS Studio loads the banker through DLL sideloading in the libcef.dll library.
Coyote unpacks a .NET executable and executes it in memory that resembles the Donut’s operation. While the obs-browser-page.exe ensures persistence across reboots.
Coyote employs AES-encrypted string obfuscation without code obfuscation, decrypting strings using a custom IV and Windows logon scripts for persistence.
When a banking app runs, Coyote contacts its C2 and performs keylogging and screenshots after receiving responses.
The Trojan establishes SSL communication with mutual authentication by decrypting an encrypted certificate from the attacker’s server. After verification, it sends the collected information to the server.
Here below, we have mentioned all the information transmitted:-
- Machine name
- Randomly generated GUID
- Banking applications being used
Coyote represents a shift in Brazilian banking Trojans by employing modern technologies like Node.js, .NET, and Nim, which diverge from older languages like Delphi.
This evolution underscores the growing sophistication in the threat landscape, with up to 90% of infections originating from Brazil, demonstrating threat actors’ adaptation to the latest languages and tools.
IoCs
Host-based (MD5 hash):
- 03 eacccb664d517772a33255dff96020
- 071b6efd6d3ace1ad23ee0d6d3eead76
- 276f14d432601003b6bf0caa8cd82fec
- 5134e6925ff1397fdda0f3b48afec87b
- bf9c9cc94056bcdae6e579e724e8dbbd
C2 domain list:
- atendesolucao[.]com
- servicoasso[.]com
- dowfinanceiro[.]com
- centralsolucao[.]com
- traktinves[.]com
- diadaacaodegraca[.]com
- segurancasys[.]com
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.