Coyote Banking Trojan: A Growing Threat to Online Financial Security

Cybersecurity experts at FortiGuard Labs have recently identified a new malware campaign using malicious Windows Shortcut (LNK) files to spread the Coyote Banking Trojan. This sophisticated malware primarily targets users in Brazil and poses a significant threat to online banking security. Designed to steal sensitive financial information, Coyote continues to evolve, targeting a growing number of financial institutions and businesses.

---

Summary of Coyote Banking Trojan

To better understand the nature of the Coyote Banking Trojan, the table below summarizes its key details:

Feature	Details
Threat Type	Banking Trojan
Detection Names	Various AV detections, including Trojan-Banker.Win32.Coyote, Trojan:Win32/Coyote.A, and Win32/CoyoteBanker.Trojan
Symptoms of Infection	Unusual system behavior, fake banking login pages, unexpected overlays on financial websites, slow performance, unauthorized transactions
Damage	Theft of banking credentials, unauthorized transactions, system persistence through registry modifications
Distribution Methods	Malicious LNK files, PowerShell commands, email phishing, drive-by downloads
Danger Level	Severe

---

How Does Coyote Banking Trojan Work?

Coyote employs a multi-stage infection process to compromise victim devices and extract financial data.

Stage 1: Initial Infection via Malicious LNK Files

The attack begins when an unsuspecting user executes a malicious LNK file, which triggers a PowerShell command connecting to a remote server. This command retrieves another PowerShell script that downloads and executes a loader responsible for deploying the main malware payload.

Stage 2: Payload Execution & Persistence

The malware uses Donut, a well-known tool for decrypting and executing Microsoft Intermediate Language (MSIL) payloads. Once decrypted, the MSIL file modifies the Windows registry to ensure persistence, meaning that even after a system restart, the Trojan remains active.

Stage 3: Data Theft & Command Execution

Once fully deployed, Coyote scans the system for security software and evades detection by checking whether it is running in a virtual or sandboxed environment. The Trojan then begins its primary malicious operations, including:

• Logging keystrokes to capture sensitive credentials.
• Taking screenshots of the victim’s screen.
• Displaying phishing overlays on legitimate banking websites to steal login credentials.
• Manipulating the system’s display settings to deceive users.

Stage 4: Communication with Command-and-Control (C2) Server

Coyote communicates with an attacker-controlled server, where it transmits collected data and awaits further instructions. Depending on these instructions, the malware can:

• Capture screenshots.
• Activate a keylogger.
• Deploy deceptive overlays to steal user credentials.

Target List & Expanding Reach

Initially, Coyote targeted 70 financial applications, but recent findings show its scope has expanded to over 1,000 websites and 73 financial institutions. Notably, it now affects cryptocurrency platforms like:

• mercadobitcoin.com.br
• bitcointrade.com.br
• foxbit.com.br

Additionally, it has been found targeting hospitality-related websites such as:

• augustoshotel.com.br
• blumenhotelboutique.com.br
• fallshotel.com.br

This expansion suggests that Coyote is evolving and may soon target other sectors and regions beyond Brazil.

---

How to Remove Coyote Banking Trojan?

Removing Coyote Banking Trojan requires specialized security software like SpyHunter, which is designed to detect and eliminate advanced malware threats. Follow the steps below to remove the infection:

Step 1: Download and Install SpyHunter

1. Download the latest version.
2. Run the installer and follow the on-screen instructions to install SpyHunter on your system.

Step 2: Run a Full System Scan

1. Launch SpyHunter.
2. Click on “Start Scan” to perform a comprehensive system analysis.
3. SpyHunter will detect the Coyote Banking Trojan and any other potential threats.

Step 3: Remove Detected Threats

1. Review the scan results and ensure all threats are selected.
2. Click “Fix Threats” to remove Coyote and other malicious components from your system.

Step 4: Restart Your Computer

• Restart your system to complete the malware removal process.

Step 5: Verify System Security

• Run another scan with SpyHunter to confirm that no traces of Coyote remain.

---

Preventive Measures to Avoid Future Infections

To safeguard against Coyote and other banking Trojans, follow these best practices:

1. Be Cautious with Email Attachments

• Avoid opening email attachments from unknown or suspicious sources.
• Verify the sender before clicking on any links.

2. Disable Unnecessary PowerShell Execution

• Restrict PowerShell execution on your system to prevent malicious scripts from running.

3. Keep Your Software Updated

• Regularly update your operating system, browser, and security software to patch vulnerabilities.

4. Use Strong Security Software

• Install and maintain a robust anti-malware solution like SpyHunter to detect and block threats before they can execute.

5. Enable Multi-Factor Authentication (MFA)

• Use MFA for banking and sensitive accounts to add an extra layer of security.

6. Avoid Unverified Software Downloads

• Download software only from official sources and avoid pirated or cracked applications.

7. Monitor Bank Statements Regularly

• Keep a close eye on bank transactions and report any suspicious activity immediately.

---

Conclusion

The Coyote Banking Trojan represents a growing cyber threat to online banking security, particularly in Brazil. Its evolving tactics and expanding target list indicate that attackers are continually refining their methods to maximize damage. By understanding how this malware operates and implementing strong cybersecurity measures, users can protect their financial information from cybercriminals.

For those who suspect their system is infected, using a reliable anti-malware solution like SpyHunter is the most effective way to remove the Trojan and secure their device against future threats.