Cybersecurity experts have just warned about a new variation of Coyote malware, which is quietly exploiting legal features in Windows to collect users' financial information, especially bank login information and cryptocurrency wallets.
Inner-System attack
According to a report from cybersecurity firm Akamai, the new variation of Coyote uses Microsoft'sUI Automation (UIA) platform to monitor user behavior.
Designed to support people with disabilities or make operating system navigation software easier, UIA is being exploited by Coyote to detect interactions with financial websites, such as banks or cryptocurrency exchanges.
After being installed through the Squirrel installation (a popular tool in Windows applications), Coyote will record information such as computer name, user, system belonging, and even the financial services that the victim is using. This data was sent to the attacker's remote control server.
The "scouting" stage before taking action
The malware uses a Windows API called GetForegroundWindow() to identify an active window, then compare it with a pre-codexed list of targets.
If it cannot find the target in the window title, it will take advantage of UI Automation to get the web address the user is accessing, a sophisticated step that allows it to pinpoint exactly when the user logs into a bank or wallet.
Currently, this behavior is only in the "scouting" stage, but researchers have proven that the UIA feature can be exploited to steal login information directly.
Risk of global spread
According to Akamai, Coyote malware is focusing on users in Brazil, a common strategy of hackers to test the effectiveness before expanding to other markets, including Asia and Europe.
Shortly before that, experts also discovered LameHug, a type of malware that first used AI to distribute via malicious ZIP files. This shows that cyber threats are becoming more sophisticated and creative, forcing users and organizations to raise their vigilance.
Recommendation
Windows users need to be careful when installing applications from unknown sources and should use regular updated anti-viruses. Financial institutions are also advised to strengthen monitoring of unusual user behavior on online platforms.
