Banks and Cryptocurrency Platforms at Risk from New Malware Variant Using Microsoft's UI Automation Framework

A new variant of the Coyote malware family has been detected using Microsoft's UI Automation (UIA) framework to target sensitive banking data. This development poses a significant threat to both banking and cryptocurrency users, particularly in Brazil, where it aims to capture user information related to 75 different banks and cryptocurrency platforms. The Coyote malware family was first detected in February 2024 and has been spreading through phishing layers and keyloggers. Cybersecurity experts warn of the misuse of Microsoft's UIA technology and urge users to be cautious about unknown file attachments and organizations to update systems and educate personnel about such malware threats.

A new variant of the Coyote malware family has been detected, employing Microsoft's UI Automation (UIA) framework to target sensitive banking data. This development poses a significant threat to both banking and cryptocurrency users, particularly in Brazil, where it aims to capture user information related to 75 different banks and cryptocurrency platforms. The Coyote malware family was first detected in February 2024 and has been spreading through phishing layers and keyloggers. Cybersecurity experts warn of the misuse of Microsoft's UIA technology and urge users to be cautious about unknown file attachments and organizations to update systems and educate personnel about such malware threats.

Coyote malware has traditionally employed keylogging and phishing overlays to steal banking information. However, the new variant marks a significant escalation, using UIA to automate the extraction of sensitive data. This technique allows Coyote to parse through UI elements of active windows, identify banking and cryptocurrency platforms, and extract credentials without the need for human intervention. The malware sends this information to command-and-control servers, enabling attackers to carry out credential stuffing attacks and compromise user accounts [1].

The use of UIA by Coyote highlights the growing sophistication of malware techniques and the need for robust cybersecurity measures. Cybersecurity experts recommend monitoring the use of the `UIAutomationCore.dll` and named pipes opened by UIA as indicators of malicious activity. Additionally, organizations should update their systems and educate personnel about the threat posed by Coyote and other malware families.

Microsoft has been proactive in addressing vulnerabilities in its products, including the recent emergency security update for a critical SharePoint vulnerability being actively exploited by state-affiliated cyber actors. However, the misuse of UIA by Coyote underscores the ongoing challenge of protecting against sophisticated threats [2].

As the threat landscape continues to evolve, it is crucial for both users and organizations to stay vigilant and adopt proactive cybersecurity measures. This includes keeping systems up-to-date, educating personnel about potential threats, and implementing robust security protocols to mitigate the risk of data breaches.

References:
[1] https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild
[2] https://www.scworld.com/brief/updated-coyote-trojan-exploits-microsoft-ui-automation
[3] https://www.ainvest.com/news/microsoft-probes-suspected-mapp-leak-enabling-chinese-hackers-exploit-sharepoint-vulnerability-2507/