- Banking trojan Coyote now abuses Microsoft’s UI Automation framework
- The framework allows it to spot when a person opens a banking site
- It can cross-reference the data in the browser with a hardcoded list of banking and crypto apps
Coyote, a known banking trojan malware capable of attacking dozens of crypto and banking apps, has been upgraded to identify crypto exchanges and bank accounts opened in the web browser, experts have warned.
Cybersecurity researchers Akamai, who have been warning about Coyote since December 2024, noted how in previous iterations, Coyote would either log keys or present phishing overlays, in order to exfiltrate login information for 75 banking and cryptocurrency exchange apps. However, if a user would open these accounts in the browser, Coyote wouldn’t be triggered.
However this new variant abuses Microsoft’s UI Automation framework to identify which banking and crypto exchange sites the victim opened in their browser, too.
Brazilians in the crosshairs
Microsoft’s UI Automation (UIA) framework is an accessibility system that helps software interact with Windows apps.
It’s especially useful for things like screen readers and automated testing, as it lets programs “see” buttons, menus, and other parts of an app, and even click or read them.
According to Akamai, Coyote can now use UIA to read the web address found in the browser’s tabs or address bar, and then compare the results with a hardcoded list of 75 targeted services. If it finds a match, it will use UIA to parse through the UI child elements, trying to find which tabs or address bars there are.
“The content of these UI elements will then be cross-referenced with the same list of addresses from the first comparison,” they explained.
Akamai says that Coyote primarily targets Brazilian users. The banks it usually goes after are Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Original bank, Sicredi, Banco do Nordeste, Expanse apps, and different crypto exchanges (Binance, Electrum, Bitcoin, Foxbit, and more).
The researchers first warned about UIA being abused in credential theft late last year, and now their predictions seem to have come true, since Coyote is apparently the first one to use this tactic in the wild.
Via BleepingComputer
