The Coyote Hits the Bank
- Javier Conejo del Cerro
- 28 jul
- 4 Min. de lectura
The banking trojan Coyote is back on the hunt—leaner, stealthier, and armed with a technique never before observed in the wild. In its latest variant, Coyote becomes the first known malware to weaponize Windows UI Automation (UIA), a legitimate accessibility framework, to steal login credentials from 75 banking institutions and cryptocurrency exchanges in Brazil. This clever abuse allows it to quietly observe the user’s interface and extract financial data without needing traditional overlays, keyloggers, or even an active internet connection at the time of compromise.
Originally discovered in 2024 by Kaspersky, Coyote has since evolved from a basic infostealer into a sophisticated financial predator. Now analyzed by Akamai, the new variant’s ability to exploit UIA marks a serious escalation in malware design, mimicking the methods of Android trojans that exploit mobile accessibility services—except this one lives on Windows desktops.
Reading the Screens of Its Prey
Brazilian banking users caught unaware by accessibility abuse
Victims of this campaign are primarily Brazilian users conducting personal or small business financial activity online. This includes a wide spectrum—from individuals managing their day-to-day checking accounts, to crypto traders logging into exchange platforms, and small business owners conducting payroll or vendor transfers. What they all share is trust in the security of their banking portals and ignorance of the ways their device’s own accessibility features could be turned against them.
Coyote does not require advanced privilege escalation or the installation of additional rootkits. It simply relies on features that are already baked into the Windows operating system—specifically, Microsoft’s UI Automation framework, which was originally intended to help screen readers and assistive technologies navigate graphical user interfaces. Victims are infected via trojanized applications or malicious attachments, typically distributed through phishing emails or rogue downloads. Once opened, these files silently install Coyote, which begins observing the victim’s screen without disrupting the desktop or browser environment.
Since no visual indicators or pop-ups are presented, the victims remain completely unaware while their most sensitive credentials are being siphoned in real time.
Coyote Interface
From malicious files to silent screen scraping via UI Automation
The attack sequence begins with a trojanized executable or malicious document—either a fake financial tool, rogue installer, or weaponized attachment sent via phishing campaigns. Once executed, the malware checks which window is active using the GetForegroundWindow() API, capturing its title to see if it matches any of the 75 hard-coded domains belonging to Brazilian banks and crypto services.
If there’s no direct match in the window title, Coyote activates Windows UI Automation to analyze the deeper UI structure of the active window. It parses child elements—like browser tabs, address bars, and embedded frames—to identify whether the user is interacting with a target site, even if the URL isn’t directly exposed in the window name. This method allows it to identify financial activity even when browser windows are minimized, obscured, or not obviously labeled.
Once a match is found, Coyote silently reads text fields—particularly those used for usernames, passwords, and other login data. Unlike overlays or keyloggers, UI Automation gives the malware semantic access to individual fields, letting it interpret what the user is entering in near real-time. This allows the trojan to extract credentials without logging keystrokes or interfering with browser visuals.
Moreover, Coyote can perform all of this offline, storing stolen credentials locally and exfiltrating them once a connection is reestablished—making it significantly harder to detect using real-time monitoring tools.
This technique mirrors what’s been seen in Android banking trojans, which frequently abuse accessibility services to interact with app interfaces, hijack inputs, and read sensitive content. But this is one of the first instances where such a method has been fully operationalized in a Windows environment.
Coyote Tamed
Security responses to an invisible, offline-accessing threat
The emergence of this variant of Coyote raises alarms not only because of its scope—75 institutions targeted—but because of the difficulty in detecting or blocking attacks that rely on trusted Windows APIs. While endpoint solutions have long focused on detecting keyloggers, screen scrapers, or suspicious overlays, abuse of accessibility features like UI Automation has remained a blind spot.
To defend against this level of silent credential theft, organizations and users must shift their focus toward behavioral detection and interface monitoring, rather than signature-based or heuristic-only approaches.
Security teams should:
Monitor applications for unusual use of UI Automation, especially background parsing of browser windows or child UI elements.
Restrict accessibility features in unverified or untrusted apps, particularly those that do not explicitly require them for user interaction.
Filter and block malicious file types and executables from untrusted sources or unknown publishers—especially those built using the .NET framework, which is commonly used in Coyote’s architecture.
Harden email defenses to prevent delivery of trojanized attachments.
Raise user awareness about malware embedded in productivity tools, rogue finance apps, or fake system utilities.
Implement endpoint monitoring capable of recognizing abnormal access to UI layers, such as attempts to invoke GetForegroundWindow() or UIA commands from unexpected processes.
By understanding that accessibility features can be both helpful and harmful, security professionals can begin adapting their defenses to this new breed of malware that, like the coyote itself, thrives in stealth and adapts quickly to new terrain.
Comentarios