Sixty-one banking establishments, all of them originating from Brazil, are the goal of a brand new banking trojan referred to as Coyote.
“This malware makes use of the Squirrel installer for distribution, leveraging Node.js and a comparatively new multi-platform programming language referred to as Nim as a loader to finish its an infection,” Russian cybersecurity agency Kaspersky mentioned in a Thursday report.
What makes Coyote a distinct breed from different banking trojans of its variety is using the open-source Squirrel framework for putting in and updating Home windows apps. One other notable departure is the shift from Delphi – which is prevalent amongst banking malware households concentrating on Latin America – to an unusual programming language like Nim.
Within the assault chain documented by Kaspersky, a Squirrel installer executable is used as a launchpad for a Node.js software compiled with Electron, which, in flip, runs a Nim-based loader to set off the execution of the malicious Coyote payload by way of DLL side-loading.
The malicious dynamic-link library, named “libcef.dll,” is side-loaded by way of a professional executable named “obs-browser-page.exe,” which can also be included within the Node.js venture. It is value noting that the unique libcef.dll is a part of the Chromium Embedded Framework (CEF).
Coyote, as soon as executed, “screens all open functions on the sufferer’s system and waits for the precise banking software or web site to be accessed,” subsequently contacting an actor-controlled server to fetch next-stage directives.
It has the aptitude to execute a variety of instructions to take screenshots, log keystrokes, terminate processes, show faux overlays, transfer the mouse cursor to a particular location, and even shut down the machine. It will probably additionally outright block the machine with a bogus “Engaged on updates…” message whereas executing malicious actions within the background.
“The addition of Nim as a loader provides complexity to the trojan’s design,” Kaspersky mentioned. “This evolution highlights the growing sophistication throughout the menace panorama and exhibits how menace actors are adapting and utilizing the newest languages and instruments of their malicious campaigns.”
The event comes as Brazilian legislation enforcement authorities dismantled the Grandoreiro operation and issued 5 momentary arrest warrants and 13 search and seizure warrants for the masterminds behind the malware throughout 5 Brazilian states.
It additionally follows the invention of a brand new Python-based data stealer that is associated to the Vietnamese architects related to MrTonyScam and distributed through booby-trapped Microsoft Excel and Phrase paperwork.
The stealer “collects browsers’ cookies and login knowledge […] from a variety of browsers, from acquainted browsers similar to Chrome and Edge to browsers targeted on the native market, just like the Cốc Cốc browser,” Fortinet FortiGuard Labs mentioned in a report printed this week.
