Coyote

Coyote is a sophisticated, multi-stage banking Trojan that has expanded its operations to target more than 1700 banks in 45 countries across all continents. Other notable malware families include Banbra, BestaFera, Bizarro, ChePro, Casbaneiro, Ponteiro, and Grandoreiro. Despite the arrest of several gang members involved with these operations, their malicious activities have not ceased. The Coyote Trojan uses an advanced design that incorporates Nim as a loader, hiding its initial stage loader by presenting it as an update packager. This deceptive tactic involves blocking the user interface with a misleading "Working on updates…" message while secretly executing harmful actions in the background. The Coyote Trojan recently compromised 61 Brazilian banking systems, illustrating the evolving tactics cybercriminals are employing. It operates by surveilling all open applications on the victim's system, waiting for access to specific banking applications or websites. Once activated, Coyote can execute commands such as capturing screenshots, logging keystrokes, terminating processes, displaying fake overlays, moving the mouse cursor strategically, and even initiating machine shutdowns. This ability to carry out a range of actions underscores its threat to online banking security and system integrity. In response to the Coyote threat, Brazilian law enforcement authorities took action by dismantling the Grandoreiro operation. However, the persistence of Trojan infections remains a significant concern for individuals and organizations alike, highlighting the need for robust cybersecurity measures. Coyote's emergence aligns with the dismantling of the Grandoreiro operation in Brazil, indicating a possible shift in the landscape of cyber threats. The use of Nim-based loaders to facilitate the execution of the Coyote payload through DLL side-loading further emphasizes the advanced and evolving nature of this malware.