Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 59 min 38 sek zpět

Coyote: A multi-stage banking Trojan abusing the Squirrel installer

8 Únor, 2024 - 11:00

The developers of banking Trojan malware are constantly looking for inventive ways to distribute theirs implants and infect victims. In a recent investigation, we encountered a new malware that specifically targets users of more than 60 banking institutions, mainly from Brazil. What caught our attention was the sophisticated infection chain that makes use of various advanced technologies, setting it apart from known banking Trojan infections.

This malware utilizes the Squirrel installer for distribution, leveraging NodeJS and a relatively new multiplatform programming language called Nim as a loader to complete its infection. We have named this newly discovered Trojan “Coyote” due to the role of coyotes as natural predators of squirrels. The Nim language defines itself as a “statically typed compiled systems programming language that combines successful concepts from mature languages like Python, Ada and Modula”. The adoption of less popular/cross-platform languages by cybercriminals is something we identified as a trend in our Crimeware and financial cyberthreats for 2024.

In this article, we will delve into the workings of the infection chain and explore the capabilities of this Trojan.

Forget old Delphi and MSI

In the banking Trojan landscape, the use of the Delphi language or MSI installers is a recurring trend among malware creators. It’s a well-known fact in the cybersecurity community that this method serves as a widely used initial infection vector.

Coyote does things a little differently. Instead of going down the usual route with MSI installers, it opted for a relatively new tool for installing and updating Windows desktop applications: Squirrel. As the authors explain, “Squirrel uses NuGet packages to create installation and update packages, which means that you probably already know most of what you need to create an installer.

Coyote infection chain

By using this tool, Coyote hides its initial stage loader by presenting it as an update packager.

Malicious Squirrel installer contents

The Node.js loader script

When Squirrel is executed, it eventually runs a NodeJS application compiled with Electron. This application executes obfuscated JavaScript code (preload.js), whose primary function is to copy all executables found in a local folder named temp to the user’s captures folder inside the Videos folder. It then runs a signed application from that directory.

NodeJS project structure

Several executables have been identified in use, including those associated with Chrome and OBS Studio. The banker is loaded through DLL sideloading of a dependency of these executables. In all cases analyzed by our team, DLL sideloading occurs in the libcef.dll library.

The Nim loader

An intriguing element of the infection chain is the use of Nim, a relatively new programming language, to load the final stage. The loader’s objective is to unpack a .NET executable and execute it in memory using the CLR. This implies that the loader aims to load the executable and execute it within its process, reminiscent of how Donut operates.

Unpacked .Net executable

It’s worth noting that the same entry point, obs-browser-page.exe, is utilized for every machine reboot, serving as a means of persistence.

Last but not least, the Coyote banking Trojan

After all these steps, the Trojan is successfully executed. Coyote does not implement any code obfuscation and only uses string obfuscation with AES encryption.

Encrypted string table building

To retrieve a specific string, it calls a decryption method with the string index as a parameter. The decryption method works by creating a table of base64-encoded data. The first 16 bytes of each decoded data item serve as the IV (Initial Vector), while the rest is the encrypted data later used in the AES decryption routine.

Encrypted data structure

The key is randomly generated by each executable, and the AES decryption algorithm uses the official .Net encryption interfaces. With this approach, for each string access that Coyote needs, it searches inside the table and decrypts each string with a custom IV.

Persistence and goals

Coyote achieves persistence by abusing Windows logon scripts; it first checks if HKCU\Environment\UserInitMprLogonScript exists, and if so, it inserts the registry value as the full path to the signed application, in this case, obs-browser-page.exe.

The Coyote Trojan’s objective is consistent with typical banking Trojan behavior. It monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed.

Application monitoring routine

In our analysis we identified at least 61 related applications, all originating from Brazil. This strongly suggests that Coyote is indeed a Brazilian banking Trojan, exhibiting behavior similar to that previously reported in our Tetrade blog post.

C2 communication and control

When any banking-related application is executed and utilized, the Coyote banker contacts the C2 with this information. The C2 then responds with various actions on the machine, ranging from keylogging to taking screenshots. Communication with the attacker server will be explained in the following sections.

The Trojan establishes communication with its command and control server using SSL channels with a mutual authentication scheme. This implies that the Trojan possesses a certificate from the attacker-controlled server and uses it during the connection process.

The certificate is stored as a resource in an encrypted format that is decrypted by the X509 library from .Net. Once the malware verifies that the connection is indeed with the attacker, it proceeds to send the information collected from the infected machine and banking applications to the server. The information transmitted includes:

  • Machine name
  • Randomly generated GUID
  • Banking application being used

With this information, the attacker sends a response packet that contains specific actions. To process these actions, the attacker transmits a string with a random delimiter. Each position of the string is then converted to a list, with the first entry representing the command type.

To determine the desired command, it checks the length of the string in the first parameter, which is a random string. In other words, the only difference between commands is the size of the string.

The most important available commands are:

Length Description 12 Take a screenshot 14 Show an overlay window of a fake banking app 15 Show a Window that is in the foreground 17 Kill a process 18 Show a full-screen overlay 21 Shut down the machine 27 Block machine with a fake banking image displaying: “Working on updates…” 31 Enable a keylogger 32 Move mouse cursor to specific X, Y position

The Trojan can also request specific bank card passwords and create a phishing overlay to capture user credentials.


Coyote marks a notable change in Brazilian banking Trojans. Unlike its counterparts, which often use older languages like Delphi, the developers behind Coyote are skilled in modern technologies such as Node.js, .NET, and advanced packaging techniques.

The addition of Nim as a loader adds complexity to the Trojan’s design. This evolution highlights the increasing sophistication within the threat landscape and shows how threat actors are adapting and using the latest languages and tools in their malicious campaigns.

Our telemetry data reveals that up to 90% of infections originated from Brazil. All Kaspersky products detect the threat as HEUR:Trojan-Banker.MSIL.Coyote.gen.

A more detailed analysis of the latest Coyote versions is available to customers of our private Threat Intelligence Reports. For more information, please contact [email protected].

Reference IoCs (indicators of compromise)

Host-based (MD5 hash)
03 eacccb664d517772a33255dff96020

C2 domain list

ICS and OT threat predictions for 2024

31 Leden, 2024 - 11:00

We do not expect rapid changes in the industrial cyberthreat landscape in 2024. Most of the below-described trends have been observed before, many for some years. However, some of them have reached a critical mass of creeping changes, which could lead to a qualitative shift in the threat landscape as early as next year.

  • Ransomware will remain the No. 1 scourge of industrial enterprises in 2024.

    In 2023, ransomware attacks consolidated their hold on the top of the ranking of information security threats to industrial enterprises. As seen from the official statements of organizations affected by cyber incidents in H1 2023, at least one in six ransomware attacks caused a halt in the production or delivery of products. In some cases, the damage from the attack was estimated in the hundreds of millions of dollars. At present, there appears to be no reason to believe the threat will decrease in the near future.

  • Ransomware attacks on large organizations, suppliers of unique products (equipment, materials), or big logistics and transport companies can have severe economic and social consequences.

    Today, according to targeted companies, no less than 18% of ransomware attacks on industrial companies lead to disruptions in production and/or product delivery. Moreover, cybercriminals are clearly aiming “upmarket” in their choice of victims, preferring to target large organizations able to pay substantial ransom.

    This is creating a situation where attackers, by design or accident, could again cross the line beyond which the attack consequences become infrastructural, as in the case of Colonial Pipeline. As a further example, a recent attack on DP World, the Dubai-based international container terminal and supply chain operator, brought work at the ports in Melbourne, Sydney, Brisbane and Fremantle to a standstill, blocking approximately 30,000 containers from being delivered.

  • The ransomware market is heading for a peak, which may be followed by a decline or stagnation. Potential victims are unlikely to become immune to attacks any time soon. However, they can learn to mitigate the impact more effectively (for example, through better securing the most confidential data, and with proper backup and incident response plans).

    If this results in victims paying out less money less frequently, cybercriminals will have to find new types of targets and new schemes for monetizing attacks. Potential avenues of development:

    1. Attacks on logistics and transport companies may become targeted not at the IT infrastructure supporting operations, but the vehicles themselves (cars, ships).

      At first glance, the large variety of vehicles in parks and fleets would seem to hinder the implementation of such an attack, greatly adding to the attackers’ development costs. However, rather than one specific owner or operator, the attack could target multiple vehicles of a certain type that have identical or similar internal control systems.

      Another factor facilitating the attack is that fleet owners and operators additionally equip vehicles with their own custom telemetry-gathering systems, which often have remote control capabilities by default (for example, to remotely re-flash the firmware or to change the data set to be collected). Vehicle manufacturers and service providers sometimes do likewise. As a result, this vector becomes feasible.

      In the event of such an attack, the victim will be unable to restore operations by itself without incurring costs that render the business no longer viable. It is far easier to restore the operation of encrypted IT systems (for example, from backups) than it is to resolve even a technically simple issue affecting vehicles scattered across a wide area (for example, removing malware that prevents a truck engine from starting or cuts the power inside a ship). Companies may find themselves unable to bring operations back to normal on their own in a timely manner and without inacceptable financial losses.

    2. The same vector applies equally to owners and operators of various specialized equipment operating at remote hard-to-reach sites, such as in mining or agriculture.
    3. The problem of cyber-securing multiple hard-to-reach sites is also relevant for oil and gas companies, public utilities, and, in general, any organization with a highly distributed OT infrastructure. An attack on a distant out-of-the-way site that excludes the possibility of remote recovery (for example, because the regular remote access channel is blocked by malware) guarantees a ransom payout.
    4. Unconventional methods of monetizing attacks (for example, through stock market speculation) on economically significant enterprises — major transport and logistics organizations, large mining companies, manufacturers and suppliers of materials (such as metals, alloys, or composites), agricultural and food products, suppliers of unique/in-demand products, shortfalls of which are hard to cover quickly (such as microchips or fertilizers).

      Disruptions in the supply of products from such enterprises can significantly impact their market price. Besides the direct consequences, there may be chain reactions and indirect side effects. Recall how the Shamoon attack on Saudi Aramco had a bombshell effect on the price of hard drives globally, following the company’s unexpected decision to replace the hard drives of all its computers affected by the attack with new ones.

  • Politically motivated hacktivism along geopolitical fault lines will grow sharper teeth and have more destructive consequences.

    We all remember the headline-grabbing hacktivist attacks on railways and gas stations in Iran in 2021 that the pro-Israeli hacktivist group claimed responsibility for. And we saw many more cases last year: the irrigation systems hit in Israel, the attacks on the Israeli made Unitronics Vision all-in-one (PLC with integrated HMI) solutions that found their victims in US and Ireland and one more attack on Iranian gas stations in 2023. Leaving aside the PR effect, the actual scale of the negative consequences was quite modest in all these cases.

    That said, more recent hacktivist attacks have demonstrated the ability to get to OT systems. In some of the similar cases that Kaspersky ICS CERT investigated this year it was only a slight lack of the attackers’ preparation and perseverance that saved the victims from physical damage. Escalating tensions may well raise politically motivated hacktivist attacks to a whole new threat level.

  • In addition to protest movements within countries against a backdrop of rising social tension (caused by religious and ethnic strife and growing economic instability in many regions of the planet), we will see growing cosmopolitical protest hacktivism, such as that driven by—or, conversely, aimed against—the introduction of a new socio-cultural and macro-economic agenda. An example, associated with environmental protection and green technology, is so-called “eco-hacktivism”, such as the attack on a mining company in Guatemala by the Guacamaya Roja hacktivist group).
  • The overall rise of hacktivism across the globe will inspire more individuals and groups to start their own fight for “whatever”, even “just for fun“, similarly to the attack on the Idaho National Laboratory by the hacktivist group SiegedSec this year.
From grey zone towards the shadows
  • Widespread use of “offensive cybersecurity” for gathering cyberthreat intelligence will have both positive and negative consequences.

    On the one hand, we will see some improvement in corporate security, as offensive cyberthreat intelligence will give the user signs of potential compromise not with the telemetry of security solutions, incident research, indirect sources, and the dark web, as traditional cyberthreat intelligence does, but also directly from attacker-controlled infrastructure. This will enable victims to restore system security more quickly and efficiently.

    On the other hand, by becoming the new norm (albeit not officially legalized, but applied with the tacit consent of governments), the development of offensive cyberintelligence will also produce negative consequences for the border between the gray zone and the shadows might be too thin and the temptation to cross it might be too hard to resist. Following the states, some commercial enterprises may try and benefit from the help of commercial offensive intelligence solution and service providers, including for not the cybersecurity purposes. And some Industrial enterprises might also be in the game. This might be especially true for the high-completive ecosystems, such as in construction, mining and energy, as well as in many other industrial sectors.

    These “profit-driven” cyberactivities will be even more pinpointed than we are used to seeing in APT campaigns. Campaigns will be armed primarily with commercial and open-source tools, which will allow them to mask their activity against the generally high backdrop of cybercriminal attacks. As a result, the operations will be detected and investigated even less frequently than the APT campaigns.

Threats related to logistics and transport
  • The ongoing and rapid automation and digitization of logistics and transport will lead to:
    1. Greater intertwining of cyber- and traditional crime, particularly in long-established criminal fields such as:
      • Theft of cars, applicable to all modern cars, but especially relevant for the Asian brands and expected for the new car brands due to aggressive fast-to the market strategy that normally prioritizes cyber security maturity as one of the first things to sacrifice.
      • Maritime piracy and logistical disruptions powered by cyber-means—as a logical continuation of known attack tactics and technologies, such as the latest tapping of AISs (Automated Tracking Systems) in the Red Sea and the Indian Ocean or the attack on the Iranian Shahid Rajaee port terminal back in 2020.
      • Theft of goods using cyber means.
      • Smuggling powered by cyber-means—as the development of tactics used in the notorious “Ocean’s Thirteen” case in the port of Antwerp.
      • Other logistics and transport fraud for example, receipt of money in relation to insurance claims/cancellation penalties, and many other schemes, some hard to predict, such as messing with DRM as a means of unfair competition that we recently saw in Poland.
    2. Increased likelihood of physical consequences of non-targeted attacks. Already there are known cases of vehicles of various types being infected with malware. If we peer into the near future, due to the adoption of “traditional” operating systems such as Android and Linux in transport, the widespread integration of standard IT components and communication protocols, and the increasing number of use cases involving connections to cloud services, such infections look set to multiply. Chances are that some may lead to failures of critical monitoring and control systems with hard-to-predict consequences. Above all, the risk concerns river, sea, truck, and emergency transport — information security in such vehicles is often inferior to that in passenger cars.

Privacy predictions for 2024

25 Leden, 2024 - 11:00

In our previous privacy predictions piece, we outlined trends for 2023. As expected, there was a notable increase in the adoption of digital IDs to replace paper documents. For example, California expanded a pilot program for digital driver’s licenses, and Russia introduced laws enabling biometrics-based purchases of alcohol and tobacco. This trend is set to continue, with the European Commission finalizing the EU Digital Identity Wallet agreement. Australia has also unveiled a national strategy for digital identity resilience, aiming for mainstream use in 2024.

We expected organizations to try to reduce the impact of the human factor on data security, so as to bring down the number of insider threats and social engineering attacks. The issue intensified with the widespread use of chatbots for work, leading employees to inadvertently share sensitive data. Notably, major companies like Amazon, Apple, and Spotify are taking measures to prevent data leaks by limiting engagement with such tools.

Whereas we expected the Metaverse to be the focus of the privacy debate, AI stole the spotlight. Despite this, the European Commission has introduced a new strategy on Virtual Worlds, recognizing their transformative potential for EU citizens. Although no immediate regulations are on the table, issues related to metaverses are emerging, such as the British police investigating virtual rape. Interestingly, metaverses are gaining traction in social and political spheres, illustrated by a Columbian court conducting its first trial in the metaverse.

We have not seen any spikes in demand for privacy insurance by individuals in 2023. However, the insurers often include data breach risks into personal cyberinsurance policies. According to Statista, this market is expected to grow significantly by 2025. Given that privacy concerns are rising, we suggest that although our prediction was not fulfilled in 2023, this is a long-term trend that we will observe for years to come.

The same can be said about our prediction on the diversification of the web tracker market. In 2023, we did not see any significant changes in tracker distribution. However, the internet continues to split, with certain resources being banned in certain countries, so the tracker landscape will most likely change in the near future.

As we can see, some of our predictions are likely to come true in the long term. The year 2023 marked the emergence of several important trends, which will influence the privacy field in 2024. Below, we look at some of the important developments that, in our opinion, will affect online privacy in the upcoming year.

  • Expanding the concept of private data

    While the conventional understanding of private data in cyberattacks primarily includes personal and identifying information, the photo, video and voice data was not necessarily part of this concept. This is no longer adequate in 2024. The increasing exploitation of biometric data by scammers who craft voicefakes and deepfakes emphasizes the urgency of enhanced measures to safeguard such information. In recognition of this evolving landscape, the EU is closely working on formulating a legislative framework that will specifically address facial processing technologies to strengthen data protection.

  • AI-enabled wearables might start a new debate on privacy

    Most people have accepted ever-present tracking devices in their pockets, which are smartphones, and in their homes, such as speakers with smart assistants. However, wearables, such as smart glasses, especially equipped with cameras, tend to raise more suspicion. For example, there was a heated debate on privacy implication of smart camera-fitted glasses, resulting, among other things, in them being banned in some pubs. With the rapid pace of AI development, some companies, for example, Rabbit and Humane, have been working hard on bringing these capabilities to wearable devices. One of the implications of a device such as an “AI pin” is having a camera always staring at the face of your friends and a microphone that may be listening for your commands. While this is not a huge step away from a smartphone, the overt character of these devices may seriously concern people around you, especially those who care about their privacy—that is, of course, if these devices gain traction.

  • AR and VR development to call for new privacy standards in 2024

    When Apple launches a new product, it usually attracts public attention to both that product and similar ones. Public attention leads to a debate on privacy, especially if the technology is new enough not to be well regulated. With the launch of Apple Vision Pro and the increasing integration of AR/VR into daily life, its privacy concerns are likely to come to the forefront. Governments and regulatory bodies may respond by tightening privacy regulations specific to AR/VR devices. Given the immersive nature of these technologies, there could be a focus on protecting user data, ensuring secure interactions and addressing potential risks, such as unauthorized data access or misuse. Transparency and accountability within the AR/VR ecosystem may be in the focus as well.

  • Leaked passwords will give fewer reasons to worry—if there is anything to leak

    It seems that all the passwords in the world have already been leaked. According to haveibeenpwned, more than half a billion unique passwords have been compromised in known leaks. When a password is leaked, it can come in different forms: from plaintext on most poorly run websites to strong salted cryptographic hashes. In the worst case, the passwords from the leak can be restored to their original form (for example, if they were improperly hashed) and used to access other accounts belonging to the same user (in an attack called credential stuffing). These attacks can lead to dire consequences: for example, a recent genetic data breach was the result of credential stuffing.However, we think that the importance of data leaks containing passwords will continue to decline. The first reason is the rising prevalence of two-factor authentication, where an additional code sent via SMS or generated in a special authenticator application, such as Kaspersky Password Manager, is used to confirm your login. The second reason is that the use of passwords for authentication will continue to decline. Now, some services, most prominently Google, already feature passwordless authentication via passkeys. Other services are ditching passwords in favor of biometric authentication. Combined with continued use of single sign-on, such as Sign in with Apple, we believe that these factors will lead to decline in both the magnitude and significance of password leaks.

  • Advancing privacy through the rise of assistant bots

    As the prevalence of Assistant Bots utilizing natural language processing (NLP) continues to expand across diverse sectors, there arises a compelling opportunity to harness these technologies for bolstering user privacy. Imagine a future where bot assistants play a pivotal role in safeguarding personal data, particularly in call interactions.For instance, a sophisticated bot assistant could seamlessly handle the user’s calls to ensure that sensitive information, such as the user’s voice, remains protected. This proactive measure acts as a deterrent against potential fraudsters attempting to record voices for malicious purposes like deepfake manipulation—an unsettling trend already gaining traction. Bots serving as intermediaries between a caller and the user exist already. With large language models now available, there may be major development in this area, and more advanced technology may start appearing on the market.

    As we anticipate advancements in this field, we expect to witness the integration of these advanced bots into communication systems in the near future. This evolution not only enhances user privacy but also reflects a proactive approach in adapting technology to address emerging threats in the digital landscape. However, it is worth noting that the adoption of new, sophisticated assistant bots will most likely be accompanied by discovery of new vulnerabilities that enable spammers and scammers to trick these bots into giving out sensitive information or approving an unnecessary purchase.