- Banking Trojan Coyote is now abusing Microsoft’s UI Automation framework
- The frame allows it to spot when a person opens a bank site
- It can cross-reference data in the browser with a hard-coded list of bank and crypto-apps
Coyote, a well-known bank Trojan Malware capable of attacking dozens of crypto and bank apps, has been upgraded to identify crypto exchanges and bank accounts opened in the web browser has warned.
CyberSecurity -Scientists Akamai, who has been warning about Coyote since December 2024, noticed how COYOTE -OVERLAYS IN FIRST ITERATIONS IN FIRST ITERATIONS would either log keys or present phishing overlays to identify apps for login to 75 banking and cryptocurrency. However, if a user would open these accounts in the browser, Coyote would not be triggered.
However, this new variant Microsoft’s UI Automation framework is abusing which bank and crypto exchange sites that the victim also opened in their browser.
Brazilians at the intersection
Microsoft’s UI Automation (UIA) frames are an accessibility system that helps software interact with Windows apps.
It is especially useful for things like screen readers and automated tests as it lets programs “see” buttons, menus and other parts of an app and even click or read them.
According to Akamai, Coyote can now use the UIA to read the URL found in the browser’s tabs or address bar, and then compare the results with a hard -coded list of 75 targeted services. If it finds a match, it will use the UIA to analyze the UI child elements and try to find what tabs or address bars are.
“The contents of these UI elements will then be crossed with the same list of addresses from the first comparison,” they explained.
Akamai says Coyote is primarily aimed at Brazilian users. The banks that usually go after is Banco Do Brasil, Caixabank, Banco Bradesco, Santander, Original Bank, Sicredi, Banco Do Northest, Expanzes Apps and various crypto exchanges (Binance, Electrum, Bitcoin, Foxbit and more).
The researchers first warned that UIA was abused in identification theft late last year, and now their predictions appear to have come true as Coyote is apparently the first to use this tactic in nature.
Via Bleeping computer
