A new banking trojan dubbed Coyote is targeting sixty-one banking institutions in Brazil. Coyote stands out for its use of the Squirrel installer for distributing malware and its adoption of the Nim programming language as a loader. This trojan deviates from traditional banking malware by employing the open-source Squirrel framework and transitioning away from the widely used Delphi language.
The attack chain described by Kaspersky involves the use of a Squirrel installer executable to launch a Node.js application compiled with Electron, which then activates a Nim-based loader to execute the Coyote payload through DLL side-loading. Once executed, Coyote monitors the victim’s system for specific banking applications or websites and communicates with a server controlled by threat actors to receive further instructions.
Coyote exhibits advanced capabilities such as capturing screenshots, logging keystrokes, displaying fake overlays, and even halting system operations with deceptive messages. Kaspersky notes the increased complexity of Coyote’s design due to the integration of Nim as a loader, highlighting the evolving sophistication within the threat landscape. This development coincides with Brazilian law enforcement’s efforts to dismantle the Grandoreiro operation, reflecting ongoing efforts to combat cyber threats in the region.