Banking Trojan developers are always finding new ways to spread malware and infect victims. Kaspersky found a new malware that targets users of over 60 banks in Brazil. It caught the attention because of its advanced infection method using various technologies, different from known banking Trojan infections.
The malware uses the Squirrel installer to spread and uses NodeJS and a newer programming language called Nim as a loader to infect systems. Kaspersky named this new Trojan “Coyote” because coyotes hunt squirrels. The Nim language is described as a “statically typed compiled systems programming language that combines successful concepts from mature languages like Python, Ada, and Modula.” The use of less popular and cross-platform languages by cybercriminals is a trend we identified in the report on Crimeware and financial cyberthreats for 2024.
Researchers at Fortinet unveiled hackers to exploit GeoServer RCE vulnerability deploying malware relating to the vulnerability tracked as “CVE-2024-36401, has...
Progress Software released an emergency fix for a critical vulnerability (10/10) in its Loadmaster and LoadMaster Multi-Tenant Hypervisor products, which...
CISCO released security updates for two critical security flaws impacting its smart Licensing Utility that could allow unauthenticated, remote attackers...
OpenBAS is a platform that helps organizations to plan, schedule, and conduct crisis exercises, adversary simulations, and breach simulations. OpenBAS...
Indian Computer Emergency Response Team (CERT-IN) issued advisories about multiple vulnerabilities in various Palo Alto Networks applications. Attackers could exploit...
Banking Trojans often utilize the Delphi language or MSI installers as a common method for initial infection. This is a well-known trend among malware creators in the cybersecurity community.
Coyote does things a little differently. Instead of going down the usual route with MSI installers, it opted for a relatively new tool for installing and updating Windows desktop applications: Squirrel. As the authors explain, “Squirrel uses NuGet packages to create installation and update packages, which means that you probably already know most of what you need to create an installer.”
By using this tool, Coyote hides its initial stage loader by presenting it as an update packager.
The Node.js loader script:
When Squirrel is used, it runs a NodeJS application with Electron. This application runs obfuscated JavaScript code (preload.js). Its main task is to copy all executable files from a local folder named temp to the user’s captures folder in the Videos folder. Afterward, it runs a signed application from that folder.
The team found several executables being used, such as Chrome and OBS Studio. The banker is loaded by sideloading a DLL dependency of these executables. In all cases, the libcef.dll library is used for DLL sideloading. Click here to readthe full report.