A new variant of the Coyote banking trojan is now actively exploiting a legitimate Windows feature, UI Automation (UIA), to covertly steal banking credentials. This latest iteration specifically targets users in Brazil, aiming to compromise accounts across 75 financial institutions and cryptocurrency exchanges, marking a significant escalation in the ongoing battle against cybercrime.
The Rise of Coyote: A Persistent Threat Evolves
First identified in 2024, the Coyote banking trojan quickly established itself as a formidable threat in the cyber underworld. Its initial capabilities included stealthy keystroke logging, discreet screen capturing, and the deployment of convincing overlays on login pages to trick unsuspecting users into revealing their sensitive information. This malware has consistently demonstrated a high level of adaptability, with developers frequently refining its tactics to bypass security measures and expand its reach. The emergence of this new variant emphasizes the persistent and evolving nature of such threats, forcing cybersecurity experts to continually adapt their defenses.
Weaponizing Accessibility: How UIA Becomes a Vulnerability
The innovative and concerning aspect of this new Coyote variant lies in its exploitation of Windows UI Automation (UIA). UIA is a legitimate Microsoft feature designed to enhance accessibility for users by allowing applications to interact with UI elements programmatically. While intended for beneficial purposes, cybercriminals have found a way to weaponize it. The malware employs the GetForegroundWindow() Windows API to pinpoint active application windows. Once an active window is identified, Coyote leverages UIA to parse its user interface elements, such as browser tabs or address bars. This method grants the malware an insidious ability to “read” the sub-elements of other applications, even without direct user interaction or internet connectivity.
The Brazilian Focus: A Targeted Onslaught
The explicit targeting of Brazilian users and their financial institutions highlights a strategic decision by the malware’s operators. With 75 specific banking institutes and cryptocurrency exchanges in its sights, the new Coyote variant is executing a highly focused campaign. This concentrated approach increases the malware’s chances of success, as it can tailor its reconnaissance and credential-stealing mechanisms to the specific interfaces and security protocols of these targeted entities. The reliance on UIA further enhances its stealth, allowing it to operate more discreetly within the infected system.
Mitigating the Threat: Protecting Your Digital Assets
Given the sophistication of this new Coyote variant, users, particularly in Brazil, are urged to exercise extreme caution. Cybersecurity experts recommend several proactive measures to mitigate the risk of infection and credential theft. These include maintaining up-to-date operating systems and security software, employing robust antivirus solutions, and being vigilant about suspicious emails, links, or unsolicited software downloads. Additionally, users should consider implementing multi-factor authentication (MFA) wherever possible, as it provides an extra layer of security even if credentials are compromised. Regular monitoring of bank and cryptocurrency accounts for unusual activity is also crucial for early detection of potential breaches.
