Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions

RESEARCH & INTELLIGENCE / 07.08.24 / The BlackBerry Research and Intelligence Team

Summary

Increased global trade and the growth of the Latin American (LATAM) market has made the region an increasingly attractive target for cyber criminals in recent years. The World Economic Forum noted in their January 2024 Global Cybersecurity Outlook report that LATAM had a high number of “insufficiently cyber-resilient organizations,” with government and financial institutions topping the list of targets.

Coyote is a .NET banking Trojan that has been observed targeting Brazilian financial institutions, primarily banks. It has an execution chain that clearly distinguishes it from other banking Trojans. First identified by researchers in February 2024, Coyote got its name due to the fact it abuses Squirrel, a valid non-malicious software to manage the installation and update of Windows applications.

During a Coyote attack, a legitimate open-source OBS file and the Chromium Embedded Framework (CEF) dynamic linked library (DLL) are injected with a compromised DLL. The compromised DLL uses the Nim programming language to load the Coyote banking Trojan and harvest user financial information, with persistence on the system.

In this blog we’ll take a closer look at Coyote’s infection vector and execution chain.

Affected Operating Systems

Technical Analysis

Infection Vector

While we didn’t have direct observation of the delivery method during our analysis of the Coyote Trojan, this malware would typically be delivered via phishing, with the user being enticed to click a malicious link rather than the Trojan being delivered as an attachment. This is due to the unusually large file size (+170 MB) of the Trojan; an email with such a large file as an attachment would likely bounce back from email systems that limit or block emails with large file sizes.

The names of files found that were written in Brazilian Portuguese corroborate with the targets being solely Brazilian victims. Examples of filenames used during the attack include:

Pdfpapel327088636055.zip (“papel” = paper)
Pdfmensal4669787638.zip (“mensal” = monthly)

Analysis

Upon execution of the main malicious file, for example pdfpapel327088636055.exe, the Squirrel update process is started:
"C:\Users\<username>\AppData\Local\SquirrelTemp\Update.exe" — install.

The update process also starts execution of “designlesotho.exe”:
"C:\Users\<username>\AppData\Local\designlesotho\app-0.7.2\designlesotho.exe" — Squirrel-install 0.7.2

Finally, via cmd.exe, the following is executed: OBS “obs-browser-page.exe”:
“C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\Videos\Captures\obs-browser-page.exe"

Figure 1: Process Tree of the initial execution to obs-browser-page.exe.

Persistence is achieved via the Registry:
HKEY_CURRENT_USER\Environment\UserInitMprLogonScript
C:\Users\<username>\Videos\Captures\obs-browser-page.exe

Upon execution of the non-malicious obs-browser-page.exe (SHA256: ec605cc14c60e30682e84ec87d19034f7bd1399025ca11fbf3c4adeed85fadf0), the Squirrel update process loads libcef.dll (SHA256: e1c48e87d7386dc2edd54a1d3ac73d4af7e63eb2fc4f26f59ff15a9dd1dc1ac6). This is a non-malicious Google Chrome DLL vulnerable to DLL sideloading that finally loads the malicious chrome_elf.dll (SHA256: 110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79).

The final DLL, chrome_elf.dll, is a Nim loader that executes the embedded Coyote banking Trojan in memory (SHA256: e3d9cb8f4385a63e70305de36f8366e0b86d183322e860029455f145404c7e9c).

Nim is a fairly new multi-platform programming language which combines successful concepts from mature languages like Python, Ada and Modula.

Figure 2: Non-malicious file "obs-browser-page-exe" and "libcef.dll" along with the malicious "chrome_elf.dll."

Once executed, the Coyote banking Trojan keeps checking the title of the file or Internet browser window. Only when the window title matches one of the targets — mentioned below in the Targets section — does it start communication with its command-and-control (C2) servers.

Coyote can run a total of 24 commands and functions, including taking screenshots of a user’s activity, showing full-screen overlay windows (including an overlay of a fake banking app), making registry changes, moving the user’s mouse, machine shutdown and keylogging.

Figure 3: Coyote keylogger command.

Communication

Coyote uses the WatsonTCP library for communication. On the specific campaign we observed, the binary randomly selects one of the following C2s:

bestoraculo[.]com

acaodegraca[.]com

turmadabruta[.]com

britoingresso[.]com

cinebrian[.]com

Based on our analysis, we managed to find additional C2 servers besides those initially reported:

Additional C2s

cloridatosys[.]com

flogoral[.]com

formitamina[.]com

bilatex[.]com

autoglobalcar[.]com

atendesolucao[.]com

angelcallcenter[.]com

servicoasso[.]com

dowfinanceiro[.]com

centralsolucao[.]com

gargamellojas[.]com

carrodenatal[.]com

marvelnatal[.]com

nograusistema[.]com

navegacaodura[.]com

jogodequadra[.]com

carrosantigo[.]com

bermatechcliente[.]com

Figure 4: Connections from Coyote banking Trojan to different C2 servers.

With the different infection chain utilizing Squirrel and DLL side-loading targeting OBS, as well as a .NET Brazilian banking Trojan, we believe this is indeed the Coyote threat actor. At the time of writing this, there are no references to whether this specific banking Trojan is being sold on the underground market.

Targets

Coyote targets Brazilian financial institutions as well as Binance, a global company that operates a cryptocurrency exchange with the largest daily trading volume of cryptocurrencies. Coyote’s full target list of legitimate domains is as follows:

Targets (Legitimate Domains)

Bancobrasil.com.br

Bb.com.br

internetbanking.caixa.gov.br

loginx.caixa.gov.br

banco.bradesco

cidadetran.bradesco

ne12.bradesconetempresa.b.br

binance.com

mercadobitcoin.com.br

bitcointrade.com.br

foxbit.com.br

blockchain.com

accounts.binance.com

pf.santandernet.com.br

pj.santandernetibe.com.br

itau.com.br

meu.original.com.br

empresas.origina

ibpj.original.com.br

banrisul.com.br

internetbanking.banpara.b.br

ib.banpara.b.br

www2s.bancoamazonia.com.br

ecode.daycoval.com.br

mercantildobrasi

stone.com.br

bancopan.com.br

unicred.com.br

safra.com.br

safraempresas.com.br

ib.brde.com.br

banese.com.br

bancobmg.com.br

brbbanknet.brb.com.br

internetbanking.confesol.com.br

tribanco.com.br

credisisbank.com.br

credisan.com.br

bancobs2.com.br

bancofibra.com.br

uniprimebr.com.br

uniprime.com.br

bancotopazio.com.br

btgmais.com

citidirect.com

banestes.b.br

zeitbank.com.br

cora.com.br

sofisa.com.br

sofisadireto.com.br

www.banestes.com.br

banestes.com.br

wwws.uniprimedobrasil.com.br

www.rendimento.com.br

rendimento.com.br

contaonline.viacredi.coop.br

sicredi.com.br

nel.bnb.gov.br

mercadopago.com.br

Conclusion

The emergence of a .NET banking Trojan targeting the LATAM region with a primary focus on Brazil, underscores the rapid evolution of the cybersecurity threat landscape. This sophisticated malware employs unconventional methods to infiltrate targeted systems via phishing with malicious domains, with the goal of compromising large financial institutions.

The deceptive tactic of disguising the initial loader as a legitimate Squirrel update packager highlights the need for heightened vigilance and proactive security measures by defenders. As organizations fortify their cybersecurity defenses, it is crucial to not only invest in more advanced protective technologies, but to also prioritize user education. By enhancing employee awareness and understanding of threats such as these, we can significantly improve defensive evasion techniques and mitigate some of the risks.

Combating the Coyote banking Trojan threat head-on requires a multifaceted approach that integrates modern-day cybersecurity solutions with comprehensive user training. By staying ahead of emerging threats and fostering a culture of cyber resilience, we can safeguard our critical systems and protect the integrity of financial institutions in the LATAM region.

MITRE ATT&CK® Matrix

Tactic	Technique ID	Technique Name	Details
Execution	T1059.007	Command and Scripting Interpreter: JavaScript	Upon Squirrel execution, a NodeJS application runs and executes obfuscated JavaScript code.
Execution	T1204.002	User Execution: Malicious File	Initial loader is disguised as a Squirrel updater.
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Registry value is added into HKCU\Environment\UserInitMprLogonScript key (prior to checking its existence). The value added in the case we observed: “obs-browser-page.exe” is to establish persistence.
Privilege Escalation	T1574.002	Hijack Execution Flow: DLL Side-Loading	The Trojan is loaded through DLL side-loading of a dependency of Chrome and OBS Studio executables (libcef.dll).
Defense Evasion	T1218	System Binary Proxy Execution	Usage of Squirrel to create installation and updates packages hiding the infection vector in an updater.
	T1027	Obfuscated Files or Information	Trojan utilizes string obfuscation with AES encryption NodeJS application runs and executes obfuscated JavaScript code
	T1620	Reflective Code Loading	NIM is used to load the final stage, which unpacks the .NET executable and executes it in memory using the CLR.
	T11036.001	Masquerading: Match Legitimate Name or Location	Coyote hides its initial loader by presenting it as an update packager.
	T1553.002	Code Signing	Usage of signed application with legitimate library.
	T1480.001	Execution Guardrails	Once the malware verifies that the connection is indeed with the attacker, it proceeds to send the information collected from the infected machine and banking applications to the server.
Discovery	T1082	System Information Discovery	Information sent to C2 includes: Machine Name GUID Banking application/s being used
Discovery	T1010	Application Windows Discovery	Trojan monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed.
Collection	T1056.001	Input Capture: Keylogging	Trojan has the capability to conduct keylogging.
Collection	T1113	Screen Capture	Trojan has the capability to take screenshots.
Command and Control	T1573	Encrypted Channel	Trojan establishes communication with its C2 server using SSL channels with a mutual authentication scheme.
Command and Control	T1205	Traffic Signaling	Attacker sends a response packet that contains specific actions. To process these actions, the attacker transmits a string with a random delimiter. Each position of the string is then converted to a list, with the first entry representing the command type.
Impact	T1529	System Shutdown/Reboot	Trojan has capabilities to shut down the compromised system.

Indicators of Compromise (IoCs):

SHA256

File Type

Details

096d7765f278bb0de33fbfa0a15413a2432060d09c99f15c6ca900a6a8a46365

9c6fc9e0854eaf5a0720caab1646f48c7992f6f4051438004598af89102a49eb

e0b65087cc83b899d53c153fcfd1420d15e369c3d196325396b50cb75681c27d

485c8bfae3e5c150012e1d630f5d9ae37b786d4b750a9a0adf2b174b7ab85c65

16cc13258a3e63be247c9adf18def0369bb72197bdb3668142bc50a6656047af

2bd6bbe48d0328e4011ce3053e616664a4eb2bf43bd5762cb03be297f786b068

287b39f40ed541585c968b6529c44e9ccdd899bca0b88457907d994c2b5013f4

341a1945f606bcf4c25bce9b850dbddc5125376156cb7f8d14c6ce6bc4b396c3

9160ca25889427b2c2da4d4b14c4a93a707efc2ce07a49d5b8ab1a7f9be8ab55

2d8b10e35c2c2d9675ec693558629450eeee2c8e38f491d38c42de96bddf317a

112edf53d4c560ab71f1b20856ec4d6096e0ea42b0271526b3415c3563300f06

3cbc282c6a51edff4e762267332e1ff2a503f7ba8a7b2a10c9ff404a7bda913b

aedffb9cf780bb52c68586ceb238fcaf90253524f06a4a338edc6437409e51c5

2b428df6f76d36ceeebfd37df65ab7893cb6f526afeb9e4494829628f0b9cae8

ae6676ad5b8ba386e88ae045eacc05225a657360963844cdf18db6a45318ea89

ce07ef596772e9cfa6f41000f27244f6f750527639a26c6be0b73033a8e41883

c0833babb2982e36ac7646f7539f6a235a42bcf5375bc080d3ac9d031dc3b903

d44f4db6680d178437e9cfba010ac049f80e5eddf43b3977da819119bb6ca06d

504a5902f20d0a7e3968251849cd88acd31e7fc895fc18d5c82076c5388df5bd

8e614368f99f955c75752df597f97de1dd51b4f0dfeeadc76e1badcc7ca57fc2

3cc58b46d0babd561508d7b67c609e0e9be9a35db9425f1e8a29512a5229665a

5656501522adfe1b08f58cccc1e187cbb7099ef1193a62edd5dfe0d32da4cd7a

fb8353e718397dcabd11d9bd8a500ffd54e2a57ac4722a34241757c60ba2bdff

ae65738fa81be0b2cfe2f63209db9ed5b928b4b5a1a703ce2a89699a6f192f07

5b3421beb6aaf3fd16831e1456475acac4f8e7c863869fb4d5dc9b1ae0576ef3

6b7a014d0674fe5f145aa2c5dc7674d42e5306d82c3fe7ab0235dcbfd559725f

d96c3e8dc899948bf92c377bb4872b19b5983b6eb2d59f00019345293601843c

2a54b7f1327398ccd1c538759201e8699dfad7c53e8e095ea782d862ec48cb92

90ffb18c9d05bf6a61d90c57f299b70702c0e65dac90349b06d5e6833d6d2612

4869fcfda9be32f3cdd48c21bda07aefde496c5f06f235f33ce948169e9744e5

3edcf6a6b6cb254f72f0f2607fa4bb2ecb604475b448c9487e89fc76eb8f896e

a0d2c87f4ed6522fdcd8c8d234dca9c7e8831de5faa9445275405ddd0a9104cc

6da5f450f3124e30e8091fda443cb416d29eab4e166a777263e004758acf2e69

10af5c8950b8802851afe96b423d20408b618f80ab54c1a5aef0f1a04c36f331

f6ed73bed9e6b992dbfdee64ff8c9dfde5e3f12c3ec6bbb4e2367fbd2ce75b6f

1ba49976a6e596abb68e2f7ca37407930330a4bf0bd25207057c5a60cb3a4107

798fb8de9bb0434ee0b172793f5b68eb593054538cf5ec96e71a5a0759f6bcc5

c057145da9481a4fff50e69b7e746c19cc95e2d33331539b6b62077169bc4b42

fcb8f32502147dbf8ef44ad99a41d9eaf639bb3d22c4de92a3022f501c9d8cb6

0dea05062d6527ab03f80de87488d278dd333167cdabdf5ef28da760bf252863

3a14ab878697453832306a836e67915d7475481307c65268ceb1f900ff4ec25a

ZIP

Malware Delivery

eb615c093e9b52ed409f426764857e6e42aa85e02adef59d6f1457dcbb90bb40

1bed3755276abd9b54db13882fcf29c543ebf604be3b7fcf060cbd6d68bcd23f

4806617bbc8187a89d5ed73cb818853e306d3699f87bd09940b0ecffdc96091d

1d59bc782e532780da0364b14a1b474a8cb8a5af50c8124159bf5d943bd050f7

DLL

NIM Loader + Coyote banking Trojan

IP/Domain

Details

cloridatosys[.]com

flogoral[.]com

formitamina[.]com

bilatex[.]com

autoglobalcar[.]com

atendesolucao[.]com

angelcallcenter[.]com

servicoasso[.]com

dowfinanceiro[.]com

centralsolucao[.]com

gargamellojas[.]com

carrodenatal[.]com

marvelnatal[.]com

nograusistema[.]com

navegacaodura[.]com

jogodequadra[.]com

carrosantigo[.]com

bermatechcliente[.]com

Recently active malicious Coyote C2’s

Countermeasures

The good news is that BlackBerry customers are protected against the Coyote IoCs listed in this blog post by endpoint protection solutions such as CylanceENDPOINT™. CylanceENDPOINT leverages advanced AI to detect threats before they cause damage, minimizing business disruptions and the costs incurred during a ransomware attack.

YARA Rule

import "pe"

rule coyote_nimloader {
    meta:
        author = "Blackberry Threat Research and Intelligence"
        hash = "110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79"
        hash = "1bed3755276abd9b54db13882fcf29c543ebf604be3b7fcf060cbd6d68bcd23f"
    strings:
        $nim1 = "strformat.nim" fullword ascii
        $nim2 = "fatal.nim" fullword ascii
        $nim3 = "io.nim" fullword ascii
        $export_name = "chrome_elf.dll" fullword ascii
    condition:
        pe.characteristics & pe.DLL and pe.number_of_sections > 8 and $export_name and (2 of ($nim*))
}

Further Reading:

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.

Back