FortiGuard Labs has uncovered a sophisticated and stealthy malware campaign delivering the Coyote Banking Trojan, primarily targeting financial institutions and users in Brazil.
This advanced multi-stage attack leverages malicious LNK files to initiate the infection chain, culminating in a fully capable banking Trojan that can steal sensitive user data from over 70 financial applications and websites.
The malware exhibits capabilities such as keylogging, phishing overlay displays, and system manipulation, making it a serious threat to financial cybersecurity.
LNK Files as Attack Vectors
The initial stage of the attack involves specially crafted LNK files.
These files execute embedded PowerShell commands to connect to remote servers, triggering the download of additional malicious scripts.
The PowerShell commands, embedded with encoded data, decode and deploy shellcode that advances the infection to the next stage.
Telemetry analysis by FortiGuard Labs revealed that unique identifiers within the LNK files, such as Machine IDs and MAC addresses, were used to trace connections with other infected systems.
The LNK files communicate with Command and Control (C2) servers by sending system metadata, including machine names, usernames, and antivirus software information, in a Base64-encoded and reversed format.
This clever encoding ensures data transmission appears inconspicuous, minimizing detection by standard security measures.
Multi-Stage Infection Process
The next stage involves a dynamic-link library (DLL) file, acting as a loader to inject malicious code into the system using advanced techniques like VirtualAllocEx and CreateRemoteThread.
This payload decrypts and executes Microsoft Intermediate Language (MSIL) files encapsulated in previous payloads.
The Trojan achieves persistence by modifying Windows registry keys, embedding randomized PowerShell commands for ongoing malicious activity.
Once operational, the Trojan expands its capabilities.
It monitors active windows for targeted sites, such as financial institutions, cryptocurrency platforms, and hotel booking systems. A list of over 1,000 target websites has been identified.
If a target site is detected, the malware establishes communication with C2 servers to execute high-risk commands: capturing screenshots, enabling keylogging, and displaying phishing overlays.
The Trojan also manipulates system display settings, automates navigation, and can even shut down the device when necessary.
Fortinet has classified this malware as a high-severity threat due to its extensive capabilities and precision targeting.
Security measures have been rolled out to protect users, including updates to FortiGuard Antivirus and Web Filtering services.
Organizations are advised to conduct a review of their cybersecurity frameworks and adopt proactive strategies, such as endpoint detection and response (EDR) solutions.
To mitigate risks, Fortinet emphasizes the importance of user education through its free cybersecurity training modules.
Furthermore, system administrators are urged to monitor registry and network activity for anomalies and implement advanced threat detection solutions.
The Coyote Banking Trojan demonstrates the growing sophistication of cyber threats, especially against financial systems.
By leveraging LNK files, multi-stage payloads, and continuous communication with C2 servers, the Trojan poses a significant challenge to conventional security measures.
This incident underlines an urgent need for both individuals and institutions to deploy advanced cybersecurity defenses and stay vigilant against evolving cybercriminal tactics.
