Coyote Malware Using NodeJS Has Targeted Over 60 Banks, Kaspersky Says

The Coyote malware is as cunning as a wild animal.

In recent cybersecurity developments, threat actors have been leveraging NodeJS to carry out banking attacks, posing a significant risk to online banking users.

According to the reports, these attackers employ JavaScript web injections to manipulate the login pages of banking websites, enabling them to steal sensitive credentials and one-time passwords.

Uncovering Coyote Malware

Coyote Malware Using NodeJS Has Targeted Over 60 Banks, Kaspersky Says
The hackers use JavaScript web injections to steal the victims' banking information once they log in on a bank's website, Kaspersky notes in its recent report. Max Duzij from Unsplash

Kaspersky Labs' cybersecurity analysts have uncovered a new threat known as Coyote malware, which targets users of more than 60 banks, particularly in Brazil. What sets Coyote apart is its innovative use of NodeJS and Nim programming language, diverging from traditional banking Trojan infection methods.

Innovative Distribution Techniques

Unlike typical banking Trojans that rely on Delphi or MSI installers, Coyote employs the Squirrel installer, which utilizes NodeJS and Nim programming language as a loader. This unconventional approach simplifies installation and updates, making it accessible to a wider range of cybercriminals.

Execution and Persistence

Coyote employs sophisticated techniques to evade detection and ensure persistence on infected systems. It utilizes Squirrel to trigger a NodeJS application in Electron, executing obfuscated JavaScript to copy executables and maintain persistence across reboots. Additionally, it utilizes AES-encrypted string obfuscation for enhanced stealth.

Data Collection and Transmission

Once active on a victim's system, Coyote establishes SSL communication with its command-and-control (C2) server, enabling it to collect sensitive information such as machine names, banking applications in use, and other relevant data. This information is then transmitted to the attacker's server for further exploitation.

The emergence of Coyote malware highlights a shift in Brazilian banking Trojans towards modern technologies like Node.js, .NET, and Nim. This evolution underscores the increasing sophistication of cyber threats and the need for robust cybersecurity measures.

With a majority of infections originating from Brazil, financial institutions and users alike must stay vigilant against such advanced threats.

Indicators of Compromise (IoCs)

Host-based (MD5 hash):

  • 03eacccb664d517772a33255dff96020
  • 071b6efd6d3ace1ad23ee0d6d3eead76
  • 276f14d432601003b6bf0caa8cd82fec
  • 5134e6925ff1397fdda0f3b48afec87b
  • bf9c9cc94056bcdae6e579e724e8dbbd

C2 domain list:

  • atendesolucao[.]com
  • servicoasso[.]com
  • dowfinanceiro[.]com
  • centralsolucao[.]com
  • traktinves[.]com
  • diadaacaodegraca[.]com
  • segurancasys[.]com

In conclusion, the discovery of Coyote malware underscores the need for proactive cybersecurity measures to combat evolving threats in the banking sector.

In other news, Tech Times reported that Romania's healthcare system was hit by a ransomware attack.

A recent report said that at least 18 hospitals in the country were "paralyzed" after the threat actors launched an attack on the healthcare facilities.

The extent of the impact is yet to be disclosed by the authorities. Still, they are unsure if the hackers aim to steal data of patients and other medical activities.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics