Malicious software, known as Coyote, exploits Microsoft's User Interface Automation to snoop on banking credentials.
New Variant of Coyote Banking Trojan Abuses Microsoft's UI Automation for Credential Theft
A new variant of the Coyote banking trojan has been discovered, utilizing Microsoft's UI Automation (UIA) framework to pilfer user credentials linked to 75 Brazilian banking institutes' web addresses and cryptocurrency exchanges.
The malware's use of UIA marks a new weapon in its arsenal for hunting people's banking information. It begins by obtaining a handle to the currently active window, typically a web browser, using the Windows API's GetForegroundWindow().
Next, the malware compares the window's title against a hardcoded list of targeted banking and cryptocurrency exchange websites. If the title does not match any target, it uses the UIA to parse the sub-elements within the window, such as browser tabs or address bars.
The content obtained from these UI elements is cross-referenced against the target list to identify if the user is accessing any of the 75 Brazilian banking or crypto exchange sites targeted. This approach allows the malware to stealthily determine the victim's financial services or exchanges in use without relying solely on visible window titles.
While currently, UIA is used for reconnaissance to identify targets, a proof-of-concept shows that UIA can be leveraged to directly steal login credentials typed into these websites by programmatically accessing input fields.
The malware sends detailed victim system information, including computer name, user name, and financial service usage to its command and control server, enhancing targeted attacks. This method represents a novel abuse of Microsoft's assistive technology UI Automation framework in the wild, as previously UIA abuse was theoretical.
The Coyote malware's strategy of periodically checking whether it is online or offline ensures its continued functionality and potential threat. It also uses the Squirrel tool to install and update Windows desktop apps, thus hiding its initial loader by masquerading as an update packager.
UIA is an accessibility framework for Windows that allows assistive technology products and automated testing tools to interact with user interface elements of other applications. Akamai security researcher Tomer Peled detailed in December 2023 how attackers could abuse UIA to steal credentials and execute code.
This technique is currently focused on Brazilian targets but may be expanded further. When the user navigates to a banking site that Coyote has been scanning for and enters their credentials, the information goes to the command-and-control server, potentially leading to account drainage. The Coyote malware's ability to scan for financial services windows, UI child elements, and cross-reference them with a pre-defined list of web addresses expands its capabilities for stealing banking information.
The Coyote malware's use of UIA for credential theft is a significant concern for security researchers, as it represents a new and dangerous method for attackers to target financial information.
- The malware's novel use of Microsoft's UI Automation (UIA) framework for credential theft underscores the need for enhanced cybersecurity measures in the realm of cryptocurrency transactions.
- As AI advances, it is projected that attackers may soon exploit UIA not just for banking information, but also to steal login credentials and execute code in other finance-related software.
- To counteract the increasing threat of such malware, it is essential for the tech industry to bolster software security, particularly in the areas of finance and cybersecurity.
- Given the growing sophistication of banking trojans like Coyote, financial institutions and investors should be vigilant about safeguarding their cryptocurrency investments with robust security measures.
