Saturday , July 27 2024
fox

Kaspersky report
New “Coyote” Trojan Targets 61 Brazilian Banks

infosecbulletin Friday , February 9 2024 International

Banking Trojan developers are always finding new ways to spread malware and infect victims. Kaspersky found a new malware that targets users of over 60 banks in Brazil. It caught the attention because of its advanced infection method using various technologies, different from known banking Trojan infections.

The malware uses the Squirrel installer to spread and uses NodeJS and a newer programming language called Nim as a loader to infect systems. Kaspersky named this new Trojan “Coyote” because coyotes hunt squirrels. The Nim language is described as a “statically typed compiled systems programming language that combines successful concepts from mature languages like Python, Ada, and Modula.” The use of less popular and cross-platform languages by cybercriminals is a trend we identified in the report on Crimeware and financial cyberthreats for 2024.

Malware Attacks Increase 30% in First Half of 2024

By infosecbulletin / Saturday , July 27 2024
Malware based threats increased by 30% in the first half of 2024 compared to the same period in 2023, according...
Read More
Malware Attacks Increase 30% in First Half of 2024

New DNS Vulnerability “TuDoor” Threatens Internet Security

By infosecbulletin / Friday , July 26 2024
A new critical vulnerability in the Domain Name System (DNS) has been found. This vulnerability allows a specialized attack called...
Read More
New DNS Vulnerability “TuDoor” Threatens Internet Security

Acronis Urged Users to Patch Vulnerability

By infosecbulletin / Friday , July 26 2024
A serious vulnerability, CVE-2023-45249 (CVSS 9.8), has been found in Acronis Cyber Infrastructure (ACI), a widely used software-defined infrastructure solution...
Read More
Acronis Urged Users to Patch Vulnerability

OpenAI to test search engine called SearchGPT

By infosecbulletin / Friday , July 26 2024
OpenAI is testing a new search engine "SearchGPT" using generative artificial intelligence to challenge Google's dominance in the online search...
Read More
OpenAI to test search engine called SearchGPT

CISA Unveils advisories for Two Industrial Control Systems

By infosecbulletin / Thursday , July 25 2024
CISA released two advisories about security issues for Industrial Control Systems (ICS) on July 25, 2024. These advisories offer important...
Read More
CISA Unveils advisories for Two Industrial Control Systems

Researchers unveil ConfusedFunction Vulnerability in Google Cloud Platform

By infosecbulletin / Thursday , July 25 2024
Tenable security researchers found a vulnerability in Google Cloud Platform's Cloud Functions service that could allow an attacker to access...
Read More
Researchers unveil ConfusedFunction Vulnerability in Google Cloud Platform

BD CIRT published advisory on Web Application and Database Security

By infosecbulletin / Thursday , July 25 2024
BDG e-GOV CIRT's Cyber Threat Intelligence Unit has noticed a concerning increase in cyber-attacks against web applications and database servers...
Read More
BD CIRT published advisory on Web Application and Database Security

GitLab fixed six security flaws and recommends updating shortly

By infosecbulletin / Thursday , July 25 2024
GitLab released a security update today to fix six vulnerabilities in its software. Although none of the flaws are critical,...
Read More
GitLab fixed six security flaws and recommends updating shortly

Researchers Unveil Massive Quad7 Botnet Targeting Microsoft 365

By infosecbulletin / Thursday , July 25 2024
Sekoia.io and Intrinsec analyzed the Quad7 (7777) botnet, which uses TCP port 7777 on infected routers to carry out brute-force...
Read More
Researchers Unveil Massive Quad7 Botnet Targeting Microsoft 365

Threat Actor announce new DDoS Panel “Cliver”

By infosecbulletin / Wednesday , July 24 2024
A threat actor has announced a new DDoS tool called Cliver, which offers strong attack methods for disrupting web services,...
Read More
Threat Actor announce new DDoS Panel “Cliver”
Forget old Delphi and MSI:
Banking Trojans often utilize the Delphi language or MSI installers as a common method for initial infection. This is a well-known trend among malware creators in the cybersecurity community.
Coyote does things a little differently. Instead of going down the usual route with MSI installers, it opted for a relatively new tool for installing and updating Windows desktop applications: Squirrel. As the authors explain, “Squirrel uses NuGet packages to create installation and update packages, which means that you probably already know most of what you need to create an installer.”
              Source: Securelist

By using this tool, Coyote hides its initial stage loader by presenting it as an update packager.

Source: Securelist
The Node.js loader script:
When Squirrel is used, it runs a NodeJS application with Electron. This application runs obfuscated JavaScript code (preload.js). Its main task is to copy all executable files from a local folder named temp to the user’s captures folder in the Videos folder. Afterward, it runs a signed application from that folder.
   Source: Securelist
The team found several executables being used, such as Chrome and OBS Studio. The banker is loaded by sideloading a DLL dependency of these executables. In all cases, the libcef.dll library is used for DLL sideloading. Click here to read the full report.
Source: Securelist

Check Also

kaspersky

Kaspersky offers free security software for six months

Kaspersky is offering free security products and safety tips for six months to consumers in …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2024, All Rights Reserved InfoSecBulletin