A brand new model of the Coyote banking trojan has been noticed, and what’s noticeable about it isn’t simply who it’s concentrating on, however the way it’s going about it. Cybersecurity researchers at Akamai have confirmed that this variant is the primary malware seen actively utilizing Microsoft’s UI Automation (UIA) framework to extract banking credentials. It’s a technique that had solely been a conceptual threat a couple of months in the past.
Again in December 2024, Akamai warned that Microsoft’s UIA, which helps assistive applied sciences work together with software program, might be misused by risk actors. Till now, that concern remained a proof-of-concept. Issues modified when Akamai noticed Coyote utilizing UIA in assaults concentrating on Brazilian customers, aiming to extract delicate data from browser home windows tied to banks and cryptocurrency platforms.
This exhibits that Coyote trojan is altering the best way it operates, making it tougher to detect and cease. The malware, first detected in February 2024, is thought for phishing overlays and keylogging aimed toward Latin American monetary targets. However what makes this variant completely different is its use of UIA to bypass detection instruments like endpoint detection and response software program.
As an alternative of counting on typical APIs to test which banking website a sufferer is visiting, Coyote now makes use of UI Automation. When the lively window title doesn’t match any of the malware’s preloaded banking or crypto website addresses, it adjustments its ways and makes use of a UIA COM object to begin crawling by the sub-elements of the lively window, trying to find telltale indicators of monetary exercise.
Akamai’s weblog publish, shared with Hackread.com forward of publishing on Tuesday, discovered that Coyote’s hardcoded listing contains 75 monetary establishments and crypto exchanges. What’s worse, these aren’t simply names or URLs. The malware maps them to inner classes, permitting it to prioritise or customise its credential-stuffing makes an attempt. This strategy not solely will increase its probabilities of hitting the goal but additionally makes it extra versatile throughout browsers and functions.
Usually, an attacker would want detailed information of a selected utility’s design. UIA simplifies that course of. With this framework, malware can scan the UI of one other app, extract content material from fields like deal with bars or enter containers, and use that data to customize assaults or steal login information.
Coyote trojan doesn’t cease at figuring out banks. It additionally sends system particulars again to its command-and-control infrastructure, together with the pc title, username, and browser information. If offline, it nonetheless performs many of those checks regionally, making it tougher to catch by community site visitors alone.
In keeping with researchers, the larger concern right here is how UIA might open up new assault paths. Akamai demonstrated this by displaying how attackers may not simply scrape information but additionally manipulate UI parts. One proof of idea exhibits the malware altering a browser’s deal with bar, then simulating a click on to quietly redirect the consumer to a phishing website, all whereas trying professional on display.
On the defensive aspect, there are methods to catch this sort of abuse. Akamai recommends monitoring for the loading of UIAutomationCore.dll into unfamiliar processes. In addition they present osquery instructions to flag processes that work together with UIA-related named pipes. These are early warning indicators that an attacker could also be snooping on the consumer interface.
Akamai’s risk searching service has already began scanning environments for such anomalies. In keeping with their report, prospects had been alerted when suspicious UIA exercise was detected.
