The developers of banking Trojan malware are constantly looking for inventive ways to distribute theirs implants and infect victims. In a recent investigation, we encountered a new malware that specifically targets users of more than 60 banking institutions, mainly from Brazil. What caught our attention was the sophisticated infection chain that makes use of various advanced technologies, setting it apart from known banking Trojan infections.
This malware utilizes the Squirrel installer for distribution, leveraging NodeJS and a relatively new multiplatform programming language called Nim as a loader to complete its infection. We have named this newly discovered Trojan “Coyote” due to the role of coyotes as natural predators of squirrels. The Nim language defines itself as a “statically typed compiled systems programming language that combines successful concepts from mature languages like Python, Ada and Modula”. The adoption of less popular/cross-platform languages by cybercriminals is something we identified as a trend in our Crimeware and financial cyberthreats for 2024.
In this article, we will delve into the workings of the infection chain and explore the capabilities of this Trojan.
Forget old Delphi and MSI
In the banking Trojan landscape, the use of the Delphi language or MSI installers is a recurring trend among malware creators. It’s a well-known fact in the cybersecurity community that this method serves as a widely used initial infection vector.
Coyote does things a little differently. Instead of going down the usual route with MSI installers, it opted for a relatively ..
Support the originator by clicking the read the rest link below.
