Skip to main content

‘Coyote’ ugly- Kaspersky unveils banking trojan targeting over 60 institutions

5 February 2024

A new sophisticated banking Trojan that steals sensitive financial information and introduces advanced tactics to avoid detection has been discovered by Kaspersky's Global Research and Analysis Team (GReAT). Dubbed 'Coyote,' this malware relies on the Squirrel installer for distribution, its name drawing inspiration from coyotes, the natural predators of squirrels.

Kaspersky's experts have identified "Coyote," a sophisticated new banking trojan that employs advanced evasion tactics to pilfer sensitive financial information. Primarily targeting users affiliated with more than 60 banking institutions in Brazil, Coyote utilizes the Squirrel installer for its distribution — a method rarely linked to malware delivery. Kaspersky's researchers have investigated and identified the entire infection process of Coyote. 

Instead of taking the usual path with well-known installers, Coyote chose a relatively new Squirrel tool to install and update Windows desktop applications. This way, Coyote hides its initial stage loader by pretending it's just an update packager.

What makes Coyote even more challenging is its use of Nim, a modern, cross-platform programming language, as the loader for the final stage of the infection process. This aligns with a trend observed by Kaspersky, in which cybercriminals use less popular and cross-platform languages, demonstrating their adaptability to the latest technology trends.

Coyote's journey involves a NodeJS application executing tricky JavaScript code, a Nim loader unpacking a .NET executable, and finally, the execution of a Trojan. While Coyote skips code obfuscation, it uses string obfuscation with AES (Advanced Encryption Standard) encryption for extra stealth. The Trojan's goal is in line with typical banking Trojan behavior:  it watches for the specific banking application or website to be accessed.

Once banking apps are active, Coyote talks to its command-and-control server using SSL channels with mutual authentication. The Trojan's use of encrypted communication and its ability to carry out specific actions, like keylogging and taking screenshots, highlight its advanced nature. It can even ask for specific bank card passwords and set up a fake page to acquire user credentials.

Kaspersky's telemetry data shows that around 90 percent of Coyote’s infections come from Brazil, making a big impact on the region's financial cybersecurity.

 “In the last three years, the number of banking Trojan attacks almost doubled, hitting over 18 million in 2023. This shows that online security challenges are on the rise. As we deal with the growing number of cyber threats, it's really important for people and businesses to protect their digital assets. The rise of Coyote, a new kind of Brazilian banking Trojan, reminds us to be careful and use the latest defenses to keep our important information safe,” comments Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky.

Read the full report on Coyote banking Trojan, please visit Securelist.com.

For protection against financial threats, Kaspersky recommends:

  • Install only applications obtained from reliable sources.
  • Refrain from approving rights or permissions requested by applications without first ensuring they match the application’s feature set.
  • Never open links or documents included in unexpected or suspicious-looking messages.
  • Use a reliable security solution, such as Kaspersky Premium, that protects you and your digital infrastructure from a wide range of financial cyberthreats.

To protect your business from financial malware, Kaspersky security experts recommend:

  • Providing cybersecurity awareness training, especially for employees responsible for accounting, that includes instructions on how to detect phishing pages.
  • Improving the digital literacy of staff.
  • Enabling a Default Deny policy for critical user profiles, particularly those in financial departments, which ensures that only legitimate web resources can be accessed.
  • Installing the latest updates and patches for all software used.

‘Coyote’ ugly- Kaspersky unveils banking trojan targeting over 60 institutions

A new sophisticated banking Trojan that steals sensitive financial information and introduces advanced tactics to avoid detection has been discovered by Kaspersky's Global Research and Analysis Team (GReAT). Dubbed 'Coyote,' this malware relies on the Squirrel installer for distribution, its name drawing inspiration from coyotes, the natural predators of squirrels.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases