Cybersecurity experts at FortiGuard Labs have identified a series of malicious Windows Shortcut (LNK) files that serve as the initial infection vector for the Coyote Banking Trojan. This sophisticated malware is designed to steal sensitive financial information, primarily targeting online banking users in Brazil. The Coyote Trojan is a clear indication that cybercriminals are continuously evolving their tactics to bypass security measures and compromise banking institutions.
How Does Coyote Banking Trojan Work?
The Coyote Trojan follows a multi-stage infection process, making it particularly stealthy and difficult to detect. Below is a breakdown of its operation:
- Execution of Malicious LNK File:
The attack begins when a user unknowingly executes a Windows LNK shortcut file, which contains PowerShell commands designed to download the next stage of the malware. - PowerShell Commands Retrieve Malware:
The PowerShell script connects to a remote attacker-controlled server, retrieving an additional malicious PowerShell script. - Deployment of a Malware Loader:
The second-stage script downloads a loader that executes the primary malware payload. This ensures that Coyote gains a foothold on the infected system. - Use of Donut to Evade Detection:
The malware utilizes Donut, a well-known tool used to decrypt and execute Microsoft Intermediate Language (MSIL) payloads. This step allows the Trojan to execute its malicious code in an obfuscated manner. - Modification of Windows Registry for Persistence:
To ensure that the malware remains active even after a system restart, it modifies the Windows registry settings to maintain persistence. - Stealing User Credentials and Financial Data:
Once installed, Coyote performs a variety of malicious activities, including:- Logging keystrokes to capture usernames, passwords, and banking details.
- Taking screenshots of the victim’s screen.
- Displaying phishing overlays on legitimate banking websites.
- Manipulating system display settings to deceive the victim.
- Communication with Command-and-Control Server:
The Trojan connects to its Command-and-Control (C2) server, sending stolen data and receiving further instructions. - Avoiding Detection:
Coyote actively checks whether it is running in a virtual or sandboxed environment, preventing cybersecurity researchers from analyzing its behavior.
Summary of the Coyote Banking Trojan
The following table summarizes key details of the Coyote Banking Trojan:
| Attribute | Details |
|---|---|
| Threat Type | Banking Trojan, Financial Malware |
| Detection Names | Trojan:Win32/Coyote.A, HEUR:Trojan-Banker.Win32.Coyote, Trojan:MSIL/Coyote.B |
| Symptoms of Infection | Slow computer performance, suspicious PowerShell activity, missing funds from online banking accounts, unauthorized transactions, phishing overlays on banking websites |
| Damage | Theft of banking credentials, unauthorized financial transactions, identity theft, possible financial ruin |
| Distribution Methods | Malicious Windows LNK files, email phishing campaigns, compromised websites, infected downloads |
| Danger Level | High – sophisticated attack targeting financial institutions |
Download SpyHunter Now & Scan Your Computer For Free!
Remove this and any other malicious threats to your system by scanning your computer with SpyHunter now! It’s FREE!
Coyote Banking Trojan’s Target List
Initially, Coyote targeted around 70 financial applications, but its scope has expanded to over 1,000 websites and 73 financial institutions. Some of the key targets include:
Brazilian Financial Platforms
- mercadobitcoin.com.br
- bitcointrade.com.br
- foxbit.com.br
Hospitality-Related Websites
- augustoshotel.com.br
- blumenhotelboutique.com.br
- fallshotel.com.br
When a victim accesses one of these targeted sites, the malware contacts a remote server, which then instructs the Trojan to:
- Log keystrokes
- Capture screenshots
- Display phishing overlays
- Steal login credentials
The rapid expansion of Coyote’s target list suggests that cybercriminals are actively developing the Trojan, making it a persistent and evolving threat.
How to Remove Coyote Banking Trojan?
Download SpyHunter Now & Scan Your Computer For Free!
Remove this and any other malicious threats to your system by scanning your computer with SpyHunter now! It’s FREE!
If you suspect that your system is infected with Coyote, immediate action is required to minimize damage.
Step 1: Disconnect from the Internet
- Disable your Wi-Fi or unplug your Ethernet cable to prevent further communication with the attacker’s server.
Step 2: Boot into Safe Mode
- Restart your computer and press F8 or Shift + F8 before Windows boots.
- Select Safe Mode with Networking to load only essential services.
Step 3: Use SpyHunter to Remove the Malware
SpyHunter is an advanced anti-malware tool that can detect and remove the Coyote Banking Trojan.
- Download SpyHunter.
- Install the program and run a full system scan.
- Allow SpyHunter to identify and remove all malicious files and registry entries.
- Restart your computer and re-scan your system to ensure complete removal.
Step 4: Restore System Integrity
- Open Windows Registry Editor (
regedit) and check for suspicious modifications. - Navigate to Task Scheduler (
taskschd.msc) and remove unknown scheduled tasks. - Run Windows Defender Offline Scan for an additional layer of security.
Preventive Measures: How to Avoid Future Infections
To protect yourself from banking Trojans like Coyote, follow these security best practices:
1. Be Cautious with Email Attachments
- Avoid clicking on unknown links or downloading attachments from suspicious emails.
- Cybercriminals disguise malware as legitimate files, making email phishing a common infection method.
2. Disable Windows LNK File Execution
- Since Coyote spreads via LNK shortcut files, disabling their execution can significantly reduce risk.
- Open Group Policy Editor (
gpedit.msc) and navigate to:User Configuration > Administrative Templates > Windows Components > File Explorer - Enable “Turn off shortcut (.lnk) file tracking”.
3. Use Strong Security Software
- Install SpyHunter or a reputable anti-malware solution to detect and remove threats in real time.
- Keep Windows Defender enabled and updated.
4. Keep Your Software Updated
- Update Windows, browsers, and security software regularly to fix vulnerabilities that malware exploits.
5. Enable Two-Factor Authentication (2FA)
- If a cybercriminal steals your banking credentials, 2FA provides an extra security layer to prevent unauthorized access.
6. Monitor Your Bank Statements Regularly
- If you notice unauthorized transactions, contact your bank immediately.
Conclusion
The Coyote Banking Trojan is a serious cybersecurity threat that has expanded its reach, targeting both financial institutions and unsuspecting users. Its stealthy infection process, ability to evade detection, and advanced data-stealing capabilities make it a significant danger.
By following best security practices and using SpyHunter for malware removal, users can effectively detect, remove, and prevent Coyote Trojan infections. Awareness and proactive security measures remain key to staying safe in the ever-evolving world of cyber threats.
Download SpyHunter Now & Scan Your Computer For Free!
Remove this and any other malicious threats to your system by scanning your computer with SpyHunter now! It’s FREE!
