InfoSecBulletin Cybersecurity for mankind
Banking Trojan developers are always finding new ways to spread malware and infect victims. Kaspersky found a new malware that targets users of over 60 banks in Brazil. It caught the attention because of its advanced infection method using various technologies, different from known banking Trojan infections.
The malware uses the Squirrel installer to spread and uses NodeJS and a newer programming language called Nim as a loader to infect systems. Kaspersky named this new Trojan “Coyote” because coyotes hunt squirrels. The Nim language is described as a “statically typed compiled systems programming language that combines successful concepts from mature languages like Python, Ada, and Modula.” The use of less popular and cross-platform languages by cybercriminals is a trend we identified in the report on Crimeware and financial cyberthreats for 2024.
CISA Warns of 3 Critical Vulnerabilities in Industrial Control Systems
By infosecbulletin
/ Monday , November 11 2024
On November 7, 2024, CISA released advisories about 3 critical security issues, vulnerabilities, and exploits related to Industrial Control Systems...
Read More
Cyberattack Disrupts Israel’s Gas and Payment Systems
By infosecbulletin
/ Monday , November 11 2024
A cyberattack on an Israeli clearing company on Sunday left some people unable to use their credit cards for shopping...
Read More
Russia blocks thousands websites using Cloudflare’s privacy service
By infosecbulletin
/ Monday , November 11 2024
Russia's media censor, Roskomnadzor, has blocked thousands of local websites using Cloudflare's encryption feature that enhances online privacy and security....
Read More
Hacker to sale Indian Gov.t email credentials
By infosecbulletin
/ Sunday , November 10 2024
Advertisement for selling the credentials of allegedly belonging to Indian government emails surfaced on the dark web marketplace. A hacker...
Read More
Cyberattacks increase 105% in third quarter of 2024 in Bangladesh
By infosecbulletin
/ Saturday , November 9 2024
Bangladesh faced a 105% rise in cyber incidents from the second to the third quarter of 2024, making it one...
Read More
Developers alert: Malicious ‘fabrice’ Package Steals AWS Credentials
By infosecbulletin
/ Friday , November 8 2024
The Socket Research Team has discovered a malicious package named "fabrice," pretending to be the legitimate fabric SSH automation library....
Read More
CISA alerts active exploitation of Palo Alto networks vuln
By infosecbulletin
/ Friday , November 8 2024
CISA has added a patched critical security flaw in Palo Alto Networks Expedition to its Known Exploited Vulnerabilities catalog due...
Read More
Critical bug in Cisco UWRB access points to run commands as root
By infosecbulletin
/ Thursday , November 7 2024
Cisco has fixed a critical vulnerability, CVE-2024-20418, that allowed unauthenticated remote attackers to gain root access on Ultra-Reliable Wireless Backhaul...
Read More
“ToxicPanda” banking trojan from Asia hit Europe and LATAM
By infosecbulletin
/ Wednesday , November 6 2024
In late October 2024, Cleafy’s Threat Intelligence team noticed a surge in a new Android malware known as TgToxic. However,...
Read More
(CVE–2023-46747)
Hacker exploit Critical F5 BIG -IP Vulnerability in Bangladesh: CIRT report
By infosecbulletin
/ Wednesday , November 6 2024
Cyber Threat Intelligence Unit of BGD e-GOV CIRT found evidence of compromise linked to the vulnerability in F5 BIG-IP systems...
Read More
Forget old Delphi and MSI:
Banking Trojans often utilize the Delphi language or MSI installers as a common method for initial infection. This is a well-known trend among malware creators in the cybersecurity community.
Coyote does things a little differently. Instead of going down the usual route with MSI installers, it opted for a relatively new tool for installing and updating Windows desktop applications: Squirrel. As the authors explain, “Squirrel uses NuGet packages to create installation and update packages, which means that you probably already know most of what you need to create an installer.”
By using this tool, Coyote hides its initial stage loader by presenting it as an update packager.
The Node.js loader script:
When Squirrel is used, it runs a NodeJS application with Electron. This application runs obfuscated JavaScript code (preload.js). Its main task is to copy all executable files from a local folder named temp to the user’s captures folder in the Videos folder. Afterward, it runs a signed application from that folder.
The team found several executables being used, such as Chrome and OBS Studio. The banker is loaded by sideloading a DLL dependency of these executables. In all cases, the libcef.dll library is used for DLL sideloading. Click here to read the full report.
Source: Securelist
