Cyber Expert Finds Coyote Trojans: Can Steal Sensitive Financial Information

Illustration of Trojan Coyote (photo: Kaspersky)

JAKARTA - Kaspersky experts have succeeded in identifying a new advanced banking trojan that uses the latest avoidance tactics to steal sensitive financial information.

Dubbed Coyote, the trojan targets users affiliated with more than 60 banking institutions in Brazil, using the Squirel installer for its distribution of a method rarely associated with malware shipments.

The purpose of this trojan is in line with the behavior of banking Trojans in general, namely to monitor certain banking applications or websites to be accessed.

Based on the results of Kaspersky's investigation, instead of taking the usual path with a well-known installer, Coyote selected a relatively new Squirel tool to install and update the Windows desktop app.

Experts also say that what makes Coyote even more sophisticated is the use of Nim, a modern cross-platform programming language, as a loader for the final stages of the infection process.

Furthermore, Coyote's journey involved the NodeJS app executing a complicated JavaScript code, the Nim's founder who dismantled the executable.NET file, and finally, Trojan execution.

So, after the banking application is active, Coyote will communicate with the command server and its controls using the SSL channel with joint authentication.

Then this trojan is capable of certain actions including keylogging and taking screenshots, can even request a specific bank card password and create a fake page to obtain user credentials.

Kaspersky telemetry data shows that about 90 percent of Coyote infections come from Brazil, thus having a major impact on financial cybersecurity in the region.