Dangerous new malware exploits Windows accessibility tools to hijack banking accounts

News
By published

Coyote malware wants to read the contents of your browser

Digital crime by an anonymous hacker
(Image credit: Shutterstock)
  • Banking trojan Coyote now abuses Microsoft’s UI Automation framework
  • The framework allows it to spot when a person opens a banking site
  • It can cross-reference the data in the browser with a hardcoded list of banking and crypto apps

Coyote, a known banking trojan malware capable of attacking dozens of crypto and banking apps, has been upgraded to identify crypto exchanges and bank accounts opened in the web browser, experts have warned.

Cybersecurity researchers Akamai, who have been warning about Coyote since December 2024, noted how in previous iterations, Coyote would either log keys or present phishing overlays, in order to exfiltrate login information for 75 banking and cryptocurrency exchange apps. However, if a user would open these accounts in the browser, Coyote wouldn’t be triggered.

However this new variant abuses Microsoft’s UI Automation framework to identify which banking and crypto exchange sites the victim opened in their browser, too.

Get Keeper's Personal Password Manager plan for just $1.67/month

Get Keeper's Personal Password Manager plan for just $1.67/month

Keeper is a password manager with top-notch security. It's fast, full-featured, and offers a robust web interface. The Personal Plan gets you unlimited password storage across all your devices, auto-login & autofill to save time, secure password sharing with trusted contacts, biometric login & 2FA for added security.

View Deal

Brazilians in the crosshairs

Microsoft's UI Automation (UIA) framework is an accessibility system that helps software interact with Windows apps.

It’s especially useful for things like screen readers and automated testing, as it lets programs “see” buttons, menus, and other parts of an app, and even click or read them.

According to Akamai, Coyote can now use UIA to read the web address found in the browser’s tabs or address bar, and then compare the results with a hardcoded list of 75 targeted services. If it finds a match, it will use UIA to parse through the UI child elements, trying to find which tabs or address bars there are.

"The content of these UI elements will then be cross-referenced with the same list of addresses from the first comparison,” they explained.

Akamai says that Coyote primarily targets Brazilian users. The banks it usually goes after are Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Original bank, Sicredi, Banco do Nordeste, Expanse apps, and different crypto exchanges (Binance, Electrum, Bitcoin, Foxbit, and more).

The researchers first warned about UIA being abused in credential theft late last year, and now their predictions seem to have come true, since Coyote is apparently the first one to use this tactic in the wild.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.