Tuesday , February 27 2024
fox

Kaspersky report
New “Coyote” Trojan Targets 61 Brazilian Banks

Banking Trojan developers are always finding new ways to spread malware and infect victims. Kaspersky found a new malware that targets users of over 60 banks in Brazil. It caught the attention because of its advanced infection method using various technologies, different from known banking Trojan infections.

The malware uses the Squirrel installer to spread and uses NodeJS and a newer programming language called Nim as a loader to infect systems. Kaspersky named this new Trojan “Coyote” because coyotes hunt squirrels. The Nim language is described as a “statically typed compiled systems programming language that combines successful concepts from mature languages like Python, Ada, and Modula.” The use of less popular and cross-platform languages by cybercriminals is a trend we identified in the report on Crimeware and financial cyberthreats for 2024.

CISA Issues Alert on APT29’s Cloud Infiltration Tactics

CISA and the UK's NCSC released a joint advisory about new tactics of Russian Foreign Intelligence Service (SVR) cyber actors....
Read More
CISA Issues Alert on APT29’s Cloud Infiltration Tactics

Bangladesh to form ‘Cyber Police Unit’: PM Sheikh Hasina

The Prime Minister of Bangladesh Sheikh Hasina has announced to form ‘Cyber Police Unit’, a separate unit to combat cyber...
Read More
Bangladesh to form ‘Cyber Police Unit’: PM Sheikh Hasina

Alert – Critical SQLi Vulnerability Threatens 200K+ Websites

A critical security vulnerability has been revealed in the widely used WordPress plugin called Ultimate Member, which is installed on...
Read More
Alert – Critical SQLi Vulnerability Threatens 200K+ Websites

Chainalysis Report
$100 million in crypto payments to Myanmar scam syndicate

Investigators found that two cryptocurrency addresses linked to a company in Myanmar received nearly $100 million in deposits in less...
Read More
Chainalysis Report  $100 million in crypto payments to Myanmar scam syndicate

Microsoft released PyRIT, A Tool For Generative AI Systems

Microsoft has released a new open automation framework called PyRIT (Python Risk Identification Toolkit). It helps security professionals and machine...
Read More
Microsoft released PyRIT, A Tool For Generative AI Systems

NCSA organized a seminar on ‘Safe Internet Usage’ in Rangpur

The National Cyber Security Agency  (NCSA) rganized a seminar on 'Safe Internet Usage' at Rangpur District Shilpakala Academy Auditorium. Over...
Read More
NCSA organized a seminar on ‘Safe Internet Usage’ in Rangpur

LockBit new .onion address
LockBit returns; new five victims disclosed

LockBit restarted their ransomware operation on a new infrastructure after law enforcement disrupted their servers. Now, they threat to target...
Read More
LockBit new .onion address  LockBit returns; new five victims disclosed

Cyberattack halts Malawi Immigration Dept. Passport Services

The government of Malawi has stopped giving out passports after a cyber-attack on the immigration service's computer network. President Chakwera...
Read More
Cyberattack halts Malawi Immigration Dept. Passport Services

LockBit Reestablishes Dark Web Leak Site: Report

The LockBit ransomware group reactivated a hidden website on the dark web. They posted a long message written by their...
Read More
LockBit Reestablishes Dark Web Leak Site: Report

0/1 click Facebook account takeover; Nepalis talent rewarded

eta ranked Nepal's cyber security researcher Samip Aryal first in the White Hack (Hall of Fame) for finding a vulnerability...
Read More
0/1 click Facebook account takeover; Nepalis talent rewarded
Forget old Delphi and MSI:
Banking Trojans often utilize the Delphi language or MSI installers as a common method for initial infection. This is a well-known trend among malware creators in the cybersecurity community.
Coyote does things a little differently. Instead of going down the usual route with MSI installers, it opted for a relatively new tool for installing and updating Windows desktop applications: Squirrel. As the authors explain, “Squirrel uses NuGet packages to create installation and update packages, which means that you probably already know most of what you need to create an installer.”
              Source: Securelist

By using this tool, Coyote hides its initial stage loader by presenting it as an update packager.

Source: Securelist
The Node.js loader script:
When Squirrel is used, it runs a NodeJS application with Electron. This application runs obfuscated JavaScript code (preload.js). Its main task is to copy all executable files from a local folder named temp to the user’s captures folder in the Videos folder. Afterward, it runs a signed application from that folder.
   Source: Securelist
The team found several executables being used, such as Chrome and OBS Studio. The banker is loaded by sideloading a DLL dependency of these executables. In all cases, the libcef.dll library is used for DLL sideloading. Click here to read the full report.
Source: Securelist

Check Also

Lock bit

LockBit Reestablishes Dark Web Leak Site: Report

The LockBit ransomware group reactivated a hidden website on the dark web. They posted a …

Leave a Reply

Your email address will not be published. Required fields are marked *