Akamai Identifies Coyote Malware Variant Capable of Compromising Microsoft UIA Framework
Akamai researchers today disclosed they have discovered a variant of Coyote malware that extracts specific banking and cryptocurrency exchanges by compromising the UI Automation (UIA) framework developed by Microsoft.
The new Coyote variant is specifically targeting users in Brazil to extract credentials linked to 75 web addresses belonging to banks and cryptocurrency exchanges. Initially discovered last year, Coyote is a Trojan malware that employs various malicious techniques, such as keylogging and phishing overlays, to steal banking information using the Squirrel installer, a tool widely used to install and update Windows applications.
Tomer Peled, security and vulnerability researcher for Akamai, said that while Coyote malware has been previously seen, this variant is the first time it has been linked to the UIA framework.
Previously. Akamai had shown how the UIA framework could be compromised, but now cybercriminals are putting that theory into practice, he noted.
During its infection process, Coyote sends the command and control server detailed information about each victim. This includes the computer name, user name and various other system attributes, including the financial services used by the victim.
Like many other forms of malware, Coyote invokes the GetForegroundWindow() Windows API to obtain a handle to the currently active window. Once it retrieves the window handle, the malware will compare the window title to a list of hardcoded web addresses belonging to targeted banks and crypto exchanges. If no match is found, Coyote will then use UIA to parse through the UI child elements of the window in an attempt to identify browser tabs or address bars. The content of these UI elements will then be cross-referenced with the same list of addresses from the first comparison.
The best approach to thwarting these attacks is to configure endpoint detection and response (EDR) tools to recognize these more tailored types of threats, said Peled. The challenge is that many cybersecurity teams don’t update these tools as cybercriminals evolve their tactics and techniques, he added. Cybersecurity is, after all, a game of cat and mouse where adversaries are continuously updating the way they exploit vulnerabilities to evade detection as part of an everlasting cycle, noted Peled.
It’s not clear how pervasively this variant of Coyote is being employed, but cybersecurity teams in the financial services sector especially should assume it will be used to victimize end users outside of Brazil. In fact, it’s not uncommon for cybercriminals to test the effectiveness of a new attack vector in a specific region before unleashing it more broadly. Hopefully, in this case, forewarning will prove to be another opportunity to be forearmed.
In the meantime, cybersecurity teams might want to scan their systems for any variant of Coyote. Malware is often subject to the whims of fashion, which means it may not be too long before every cybercriminal is incorporating Coyote into their playbook. The issue then becomes finding some way to counter with another playbook that either removes that malware or, better still, prevents it from being installed in the first place.
