- Banking Trojan Coyote is now abusing the automation framework for Microsoft’s user interface
- The frame allows him to locate when a person opens a banking site
- It can reference browser data with a lubby list of banking and cryptographic applications
Coyote, known malware capable of attacking dozens of cryptographic and banking applications, has been improved to identify crypto exchanges and the bank accounts open in the web browser, have warned experts.
Cybersecurity researchers Akamai, who have been warning against Coyote since December 2024, have noted how, in previous iterations, Coyote would record keys or have phishing overlays, in order to exfiltrate connection information for 75 banking and cryptocurrency exchange applications. However, if a user would open these accounts in the browser, Coyote would not be triggered.
However, this new variant abuses the automation frame of the Microsoft user interface to identify the banking and crypto exchange sites which also opened the victim in their browser.
Brazilians in the reticle
Microsoft’s user interface automation frame (UIA) is an accessibility system that helps software to interact with Windows applications.
It is particularly useful for things like screen readers and automated tests, because it allows programs to “see” the buttons, menus and other parts of an application, and even click or read them.
According to Akamai, Coyote can now use the UIA to read the web address found in the browser tabs or address bar, then compare the results with a 75 targeted coded list. If he finds correspondence, he will use UIA to analyze the children’s elements of the user interface, trying to find the tabs or the addressing bars that there are.
“The content of these user interface elements will then be crossed with the same address list of the first comparison,” they explained.
Akamai says that Coyote mainly targets Brazilian users. The banks he generally means are Banco Do Brasil, Caixabank, Banco Bradesco, Santander, Original Bank, Sicredi, Banco Do Nordeste, Expanse Apps and various Crypto exchanges (Binance, Electrum, Bitcoin, Foxbit, and more).
The researchers first warned against the UIA abused in an identification flight at the end of last year, and now their predictions seem to have come true, because Coyote is apparently the first to use this tactic in nature.
Via Bleeping Compompute
