Source: Design Pics Inc via Alamy Stock Photo
Researchers have discovered a novel banking Trojan they dubbed "Coyote," which is hunting for credentials for 61 different online banking applications.
"Coyote," detailed by Kaspersky in an analysis today, is notable both for its broad targeting of banking-sector apps (the majority, for now, in Brazil), and its sophisticated interweaving of different rudimentary and advanced components: a relatively new open source installer called Squirrel; NodeJs; an unsung programming language called "Nim"; and more than a dozen malicious functionalities. In all, it represents a notable evolution in Brazil's thriving market for financial malware — and could spell big trouble down the line for security teams if it expands its focus.
"They've been developing banking Trojans for more than 20 years — they started in the year 2000," Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky, says of Brazilian malware developers. "In 24 years of developing and bypassing new authentication methods and new protection technologies, they've been very creative, and you can see it now with this very new Trojan."
It may be a Brazil-focused threat to consumers for now, but as mentioned, there are clear reasons for organizations to be aware of Coyote. For one, as Assolini warns, "the malware families that had success in tackling the Brazil market in the past have also expanded abroad. That's why corporations and banks must be prepared to deal with it."
And another reason for security teams to pay attention to the emergence of new banking Trojans is their history of evolving into fully fledged initialaccess Trojans and backdoors; this was the case with Emotet and Trickbot, for instance, and more recently, QakBot and Ursinif.
Coyote has functionality in the wings to follow suit: It can execute a range of commands, including directives to take screenshots, log keystrokes, kill processes, shut down the machine, and move its cursor. It can also outright freeze the machine with a fake "Working on updates …" overlay.
The Coyote Trojan Runs With Squirrel & Nim
So far in its attacks, Coyote behaves like any other modern banking Trojan: When a compatible app is triggered on an infected machine, the malware pings an attacker-controlled command-and-control (C2) server displays an appropriate phishing overlay on the victim's screen in order to capture a user's login information. Coyote stands out most, though, for how it combats potential detections.
Most banking Trojans utilize Windows Installers (MSI), Kaspersky noted in its blog post, making them an easy red flag for cybersecurity defenders. That's why Coyote opts for Squirrel, a legitimate open source tool for installing and updating Windows desktop apps. Using Squirrel, Coyote attempts to mask its malicious initial stage loader as a perfectly honest update packager.
>Its final stage loader is even more unique, as it's written in a relatively niche programming language called "Nim." This is the very first banking Trojan Kaspersky has identified using Nim.
"Most of the old banking Trojans were written in Delphi, which is quite old and utilized across a lot of families. So over the years, the detection of Delphi malware got very good, and the efficiency of infections was slowing down over the years," Assolini explains. With Nim, "they have a more modern language to program with new features and a low rate of detection by security software."
Brazilian Banking Trojans Are a Global Problem
If Coyote has to do so much to distinguish itself, it's because the world's fifth-largest nation has in recent years become the world's premier hub for banking malware.
And for as much as they terrorize Brazilians, these programs also have a habit of crossing bodies of water.
"These guys are very experienced in developing banking Trojans, and they're eager to expand their attacks worldwide," Assolini emphasizes. "Right now, we can find Brazilian bank Trojans attacking companies and people as far away as Australia and Europe. This week, a member of my team found a new version of one in Italy."
To demonstrate the potential future for a tool like Coyote, Assolini points to Grandoreiro, a similar Trojan that made serious inroads into Mexico and Spain but also well beyond. By the end of last fall, he says, it had reached a total of 41 countries.
A byproduct of that success, however, was increased scrutiny from law enforcement. In a step toward disrupting its free-flowing cyber underground for this kind of malware, Brazilian police made a rare move: They executed five temporary arrest warrants and 13 search and seizure warrants, for the architects behind Grandoreiro across five Brazilian states.
"The problem in Brazil is they don't have very good local law enforcement for punishing these attackers. It works better when you have an entity outside of the country applying some pressure, as happened with Granadoreiro, when the police and banks in Spain were pressuring Brazilian federal police to catch these guys," Assolini says.
So, he concludes, "they're getting better, but there's a long way to go, because a lot of cybercriminals are still free [in Brazil] and committing lots of attacks worldwide."