Coyote Trojan Exploits Accessibility as a Vulnerability Target

A newly identified variant of the Coyote banking Trojan has emerged as the first malware to utilize Microsoft’s UI Automation framework to extract sensitive credentials, raising alarms about its potential to evade standard detection mechanisms in the cybersecurity landscape.

Since February, this banking Trojan has targeted over 75 financial institutions and cryptocurrency exchanges within Brazil. Research from Akamai indicates that the malware exploits the UI Automation framework, originally designed to aid accessibility, thereby introducing a novel tactic aimed at circumventing traditional security defenses.

The UI Automation framework allows applications to analyze and interact with user interface elements such as buttons and text boxes. This functionality, while beneficial for legitimate purposes, can be exploited by malicious entities to pull information from applications without triggering common detection systems.

Initially surfacing in Brazil over a year ago, Coyote primarily focuses on Windows systems. Fortinet researchers have detailed its infection vector, which often relies on phishing campaigns. Victims are lured into opening a zip file that contains a malicious shortcut. Once activated, this shortcut launches a PowerShell script that downloads the Coyote Trojan.

Coyote begins by gathering basic system information, including the device’s name and model, which it sends to a command-and-control server. The malware then checks the title of the active window on the infected machine. If this title corresponds with a recognized financial service, the Trojan intercepts the credentials entered by the user. Conversely, if there is no match, Coyote adapts its approach.

This is where the exploitation of the UI Automation framework becomes crucial. By delving deeper into the application window, Coyote can parse browser elements to identify financial-related domains, leveraging JavaScript injections or browser hooks. While traditional methods can falter with updates to web interfaces, UI Automation enables Coyote to effectively monitor user activity across various browsers without the need for tailor-made code.

Once it identifies relevant login pages, Coyote can either continue monitoring user inputs or deploy overlays to capture credentials. Notably, this malware does not rely on constant online connectivity; it operates two persistent loops—one for online tasks and another for offline analysis—allowing it to continually scan for financial interactions, reestablishing connections with its command infrastructure as needed.

The tactical use of UI Automation is not just a theoretical concern. Akamai initially flagged this approach as a potential risk in December, highlighting its ability to allow malware to bypass typical endpoint defenses. The confirmation of Coyote’s usage marks a significant shift in the threat landscape and signifies a pressing challenge for cybersecurity professionals.

Indicators of compromise may include the presence of UIAutomationCore.dll loaded into unexpected processes or unusual inter-process communications, yet traditional malware detection methods may struggle due to Coyote’s reliance on legitimate API calls rather than exploitative code injections.

Akamai’s findings underscore an alarming trend where attackers leverage legitimate system functionalities, particularly those designed for accessibility, to circumvent established security protocols. Such techniques represent a growing concern in the cybersecurity ecosystem, marking a departure from conventional threat vectors.