Coyote Malware Leverage NodeJS to Attack Users of 60+ Banks

In banking attacks, threat actors actively exploit the NodeJS to steal the online banking credentials of the targeted users. Threat actors use JavaScript web injections to alter the login page of a bank’s website. 

This stealthy alteration enables the threat actors to harvest credentials and one-time passwords. This also allows them to bypass the security protections and gain unauthorized access to the user accounts.

Cybersecurity analysts at Kaspersky Labs recently discovered Coyote malware that leverages the NodeJS to attack users of more than 60 banks.

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

Coyote Malware Leverage NodeJS

Banking Trojan developers innovate in distributing malware. A recent discovery of “Coyote” malware targets over 60 Brazilian banks with a unique infection chain. 

It deploys the Squirrel installer by utilizing NodeJS and Nim programming language as a loader, an emerging cross-platform language that sets it apart from known Trojan infections.

Banking Trojans often utilize Delphi or MSI installers for initial infections, but Coyote breaks the mold by adopting Squirrel, a newer Windows app installation tool. 

Squirrel simplifies installation and updates using NuGet packages, making it accessible even to those familiar with package management.

Coyote infection chain
Coyote infection chain (Source – Securelist)

Coyote cleverly hides its loader using Squirrel as an update packager. Squirrel triggers a NodeJS application in Electron by executing obfuscated JavaScript to copy executables to the user’s folder. 

The signed application associated with Chrome and OBS Studio loads the banker through DLL sideloading in the libcef.dll library.

Coyote unpacks a .NET executable and executes it in memory that resembles the Donut’s operation. While the obs-browser-page.exe ensures persistence across reboots. 

Coyote employs AES-encrypted string obfuscation without code obfuscation, decrypting strings using a custom IV and Windows logon scripts for persistence.

When a banking app runs, Coyote contacts its C2 and performs keylogging and screenshots after receiving responses.

The Trojan establishes SSL communication with mutual authentication by decrypting an encrypted certificate from the attacker’s server. After verification, it sends the collected information to the server.

Here below, we have mentioned all the information transmitted:-

  • Machine name
  • Randomly generated GUID
  • Banking applications being used

Coyote represents a shift in Brazilian banking Trojans by employing modern technologies like Node.js, .NET, and Nim, which diverge from older languages like Delphi. 

This evolution underscores the growing sophistication in the threat landscape, with up to 90% of infections originating from Brazil, demonstrating threat actors’ adaptation to the latest languages and tools.

IoCs

Host-based (MD5 hash):

  • 03 eacccb664d517772a33255dff96020
  • 071b6efd6d3ace1ad23ee0d6d3eead76
  • 276f14d432601003b6bf0caa8cd82fec
  • 5134e6925ff1397fdda0f3b48afec87b
  • bf9c9cc94056bcdae6e579e724e8dbbd

C2 domain list:

  • atendesolucao[.]com
  • servicoasso[.]com
  • dowfinanceiro[.]com
  • centralsolucao[.]com
  • traktinves[.]com
  • diadaacaodegraca[.]com
  • segurancasys[.]com

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.