A brand new model of the Coyote banking trojan has been noticed, and what’s noticeable about it isn’t simply who it’s focusing on, however the way it’s going about it. Cybersecurity researchers at Akamai have confirmed that this variant is the primary malware seen actively utilizing Microsoft’s UI Automation (UIA) framework to extract banking credentials. It’s a way that had solely been a conceptual threat a couple of months in the past.
Again in December 2024, Akamai warned that Microsoft’s UIA, which helps assistive applied sciences work together with software program, might be misused by menace actors. Till now, that concern remained a proof-of-concept. Issues modified when Akamai noticed Coyote utilizing UIA in assaults focusing on Brazilian customers, aiming to extract delicate info from browser home windows tied to banks and cryptocurrency platforms.
This exhibits that Coyote trojan is altering the best way it operates, making it tougher to detect and cease. The malware, first detected in February 2024, is thought for phishing overlays and keylogging aimed toward Latin American monetary targets. However what makes this variant totally different is its use of UIA to bypass detection instruments like endpoint detection and response software program.
As an alternative of counting on typical APIs to test which banking website a sufferer is visiting, Coyote now makes use of UI Automation. When the energetic window title doesn’t match any of the malware’s preloaded banking or crypto website addresses, it adjustments its techniques and makes use of a UIA COM object to begin crawling via the sub-elements of the energetic window, trying to find telltale indicators of monetary exercise.
Akamai’s weblog publish, shared with Hackread.com forward of publishing on Tuesday, discovered that Coyote’s hardcoded listing contains 75 monetary establishments and crypto exchanges. What’s worse, these aren’t simply names or URLs. The malware maps them to inner classes, permitting it to prioritise or customise its credential-stuffing makes an attempt. This strategy not solely will increase its probabilities of hitting the goal but in addition makes it extra versatile throughout browsers and functions.
Usually, an attacker would wish detailed information of a particular software’s design. UIA simplifies that course of. With this framework, malware can scan the UI of one other app, extract content material from fields like handle bars or enter containers, and use that info to customize assaults or steal login knowledge.
Coyote trojan doesn’t cease at figuring out banks. It additionally sends system particulars again to its command-and-control infrastructure, together with the pc identify, username, and browser knowledge. If offline, it nonetheless performs many of those checks domestically, making it tougher to catch via community site visitors alone.
Based on researchers, the larger concern right here is how UIA may open up new assault paths. Akamai demonstrated this by displaying how attackers won’t simply scrape knowledge but in addition manipulate UI parts. One proof of idea exhibits the malware altering a browser’s handle bar, then simulating a click on to quietly redirect the person to a phishing website, all whereas trying reputable on display.
On the defensive facet, there are methods to catch this type of abuse. Akamai recommends monitoring for the loading of UIAutomationCore.dll into unfamiliar processes. Additionally they present osquery instructions to flag processes that work together with UIA-related named pipes. These are early warning indicators that an attacker could also be snooping on the person interface.
Akamai’s menace looking service has already began scanning environments for such anomalies. Based on their report, prospects had been alerted when suspicious UIA exercise was detected.
