A new strain of the banking trojan known as Coyote is making headlines for exploiting a little-watched but powerful feature within the Windows operating system. Cybersecurity researchers have discovered that this malware is leveraging Microsoft’s UI Automation (UIA) framework, a tool originally designed to assist users with disabilities. This marks the first known instance of a threat actor weaponizing the Windows accessibility interface.
Malware Delivery and Execution
Coyote’s infection chain demonstrates a multi-layered and highly targeted approach:
- Initial Access: Victims are typically infected through malicious LNK (shortcut) files distributed via phishing emails or downloaded using the legitimate Squirrel installer—a tool commonly used for deploying and updating Windows desktop applications.
- Persistence: Once executed, the malware modifies registry keys to achieve persistence and subsequently downloads additional payloads to carry out reconnaissance and data theft.
Innovative Use of UI Automation for Reconnaissance
Traditionally, credential-stealing malware identifies banking sessions based on window titles or specific URLs. Coyote, however, takes this further by exploiting the Windows UI Automation (UIA) API, a framework designed for screen readers and other assistive tools to interact with software UI components.
If a target URL or banking session isn’t detected in the window title, Coyote dynamically inspects the UI elements of active windows, such as browser address bars and login forms. The malware creates a UI Automation COM object linked to the foreground window and then traverses the interface tree to extract actionable information. This allows it to identify and interact with login elements even if the target website is not clearly identified by the browser title alone.
Credential Theft Techniques
Once a match is found against a hardcoded list of financial and cryptocurrency platforms, Coyote activates its data collection modules:
- Keylogging: Captures keystrokes to intercept login credentials.
- Phishing Overlays (probable future enhancement): Researchers suggest this feature may be implemented to mimic legitimate website login forms.
- Screen Scraping: Captures screenshots of active sessions to gather further sensitive information.
- Data Exfiltration: All collected data is transmitted to a remote command-and-control (C2) server operated by the attackers.
Evasion and Stealth Tactics
What sets Coyote apart is its ability to evade conventional security tools:
- Bypassing Detection: Security solutions typically whitelist the interaction between applications and accessibility frameworks, assuming their use is legitimate. Coyote takes advantage of this trust.
- Localized Testing: Initial campaigns appear to target users in Brazil, a common testing ground before malware variants are deployed on a global scale.
- Frequent Updates: The malware employs modular architecture, allowing criminals to easily update functionality and bypass emerging detection signatures.