Coyote Malware Targets WILS, Abusing Microsoft UI Automation to Exfiltrate Logins

Akamai security researchers have uncovered a novel variant of the Coyote banking trojan that marks the inaugural documented instance of malicious actors exploiting Microsoft’s UI Automation (UIA) framework in real-world attacks.

Initially detailed in a December 2024 Akamai blog post as a proof-of-concept vulnerability, UIA originally designed for accessibility features in Windows operating systems from XP onward enables stealthy manipulation of user interface elements across applications.

This new Coyote strain, targeting Brazilian users, leverages UIA to systematically extract login credentials associated with 75 distinct web addresses linked to banking institutions and cryptocurrency exchanges.

First Confirmed In-the-Wild Exploitation

By abusing UIA’s Component Object Model (COM) interfaces, the malware evades traditional endpoint detection and response (EDR) tools, which fail to flag its activities as anomalous due to the framework’s inherent elevated permissions for UI interaction.

The exploitation begins with Coyote’s infection chain, which utilizes the Squirrel installer for propagation, a tactic echoing the malware’s namesake predator’s hunting behavior.

Upon compromising a system, Coyote enumerates system details such as computer name, username, and active processes, transmitting them to a command-and-control (C2) server.

Critically, it employs UIA to inspect the foreground window via the GetForegroundWindow() API, comparing window titles against a hardcoded list of targeted financial domains.

If no match is found, the malware instantiates a UIA COM object using CoCreateInstance with the CUIAutomation UUID (ff48dba4-60ef-4201-aa87-54103eef594e) and UIAutomation interface UUID (30cbe57d-d9d0-452a-ab13-7ac5ac4825ee), loading UIAutomationCore.dll into the process space.

This allows iterative traversal of UI sub-elements, such as browser tabs and address bars in applications like Chrome, Firefox, or Edge, to identify and classify matches against predefined categories including Banco do Brasil (type 0), CaixaBank (type 1), and cryptocurrency platforms like Binance (type 3).

By parsing these elements, Coyote can stealthily harvest sensitive data like credit card details or login credentials without direct process injection, operating effectively in both online and offline modes to maximize credential exfiltration.

Mitigation Strategies

This UIA abuse extends Coyote’s capabilities beyond conventional keylogging and phishing overlays, enabling non-trivial parsing of application sub-structures that would otherwise require deep knowledge of target software internals.

For instance, attackers could extend this to manipulate UI components for social engineering, such as altering browser address bars to redirect users to phishing sites via simulated invokes on invokable elements, all while bypassing EDR scrutiny as UIA operations are deemed legitimate features.

Akamai’s analysis highlights potential escalations, including cache-based interactions with off-screen elements or even locked-screen manipulations, though unverified in this variant.

To counter such threats, defenders should monitor anomalous loadings of UIAutomationCore.dll into unfamiliar processes, using osqueries like “SELECT DISTINCT pid, name, proc.path FROM process_memory_map AS pmm JOIN processes AS proc USING(pid) WHERE pmm.path LIKE ‘%uiautomationcore.dll’” to detect DLL injections.

Additionally, tracking UIA-named pipes formatted as “UIA_PIPE_” followed by process IDs via queries such as those identifying pipes from the pipes table joined with processes, can reveal active UIA servers.

According to the Report, Akamai Hunt’s anomaly detection has already scanned environments for suspicious UIA activity, alerting on deviations.

While Microsoft restricts UIA to medium integrity levels by default, attackers can bypass this with signed manifests setting uiAccess to true, underscoring the need for heightened awareness.

This development validates prior warnings about UIA’s dual-use potential, urging blue teams to integrate these indicators into threat hunting protocols to mitigate risks from evolving trojans like Coyote, which continue to adapt legacy frameworks for modern credential theft.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now