Coyote banking Trojan exploiting Windows UI Automation

The Coyote banking Trojan, active in Latin America since February 2024, has made headlines by being the first known malware to exploit the Windows UI Automation (UIA) framework, enabling numerous attacks against banks and crypto exchanges in Brazil. This development signifies a shift in malware tactics, as Coyote uses legitimate Windows features to evade detection and extract sensitive information.

Coyote banking Trojan exploiting Windows UI AutomationCoyote banking Trojan exploiting Windows UI Automation

Researchers from Akamai have observed Coyote's latest variant targeting login credentials for up to 75 financial institutions in Brazil. Windows UI Automation, designed to assist users with disabilities, allows software to control app interfaces, making it a potential attack vector for malware authors. By tricking users into running programs that utilize UIA, attackers can execute arbitrary code and steal data with relative stealth.

Coyote banking Trojan exploiting Windows UI AutomationCoyote banking Trojan exploiting Windows UI Automation

Coyote primarily targets Windows users in Brazil, employing tactics such as keystroke logging, screenshots, and phishing overlays to capture online banking credentials. It gains initial access through malicious Windows shortcut (.LNK) files delivered via phishing emails. Once installed, Coyote collects system information and monitors open windows for bank or crypto exchange titles.