Keypoints
- Coyote is delivered via a forged update mechanism using Squirrel Installer and performs DLL side-loading to execute malicious code.
- The final payload is a .NET (MSIL) assembly executed in memory: DLL loads the CLR, decrypts base64/AES blobs, and runs the assembly to evade disk-based detection.
- Payload persistence is achieved by modifying HKCUEnvironmentUserInitMprLogonScript to re-launch on user logon.
- Coyote monitors the foreground window for hardcoded Brazilian banking application names and only attempts C2 communication when a target is active.
- An embedded, encrypted X.509 certificate is imported and used to authenticate and encrypt communications with the C2 infrastructure.
- The C2 response contains a delimited command string; the first segment length determines one of ~25+ supported actions (e.g., screenshot upload, keylogging, process and window manipulation, registry operations).
- Observed IOCs include multiple MD5 hashes and domain names used as C2 or infrastructure (e.g., carfilmenew[.]com, carroderua[.]com).
MITRE Techniques
- [T1574.002] DLL Side-Loading – Coyote abuses an update installer to sideload malicious DLLs (‘it disguises itself as an update packager, and once executed, it sideloads the malicious code.’)
- [T1037.001] Boot or Logon Initialization Scripts – The malware achieves persistence by adding itself to user logon initialization (‘The payload achieves persistence by adding itself to HKCUEnvironmentUserInitMprLogonScript’)
- [T1041] Exfiltration Over C2 Channel – The trojan establishes a connection to a CnC server and sends system/banking details for remote actions (‘the trojan tries to establish a connection to the CnC server with some details like respective banking application details, Machine name etc.’)
- [T1113] Screen Capture – One supported remote action is taking screenshots and uploading them to servers (‘Taking screenshots and uploading them to servers’)
- [T1056.001] Input Capture: Keylogging – Coyote can log keystrokes on the infected host (‘Key-logging’)
- [T1112] Modify Registry – The malware sets Registry values in the Current User hive to support persistence and configuration (‘Setting the Registry values in the Current User space.’)
- [T1583.004] Acquire Infrastructure – Operators host C2/infrastructure domains used by the trojan (‘carfilmenew[.]com’, ‘carroderua[.]com’)
Indicators of Compromise
- [File hash – MD5] Samples and payloads observed – 03eacccb664d517772a33255dff96020, ae688dff6f64f1317af09641ae037300, and 7 more hashes.
- [Domains] Infrastructure/C2 candidates – carfilmenew[.]com, carroderua[.]com, and 3 more domains used by the campaign.
- [File / Artifact] In-memory MSIL payload dump – ‘MSIL payload’ dumped from memory (ae688dff6f64f1317af09641ae037300) observed during dynamic analysis.
- [Registry key] Persistence location – HKCUEnvironmentUserInitMprLogonScript used to re-launch the payload on user logon.
Coyote is deployed by abusing Squirrel Installer: a malicious package masquerades as an application update and sideloads a DLL that exports identical entry points to increase execution likelihood. During dynamic execution the loaded DLL spawns a CLR instance and loads an MSIL payload from memory; static analysis of that MSIL shows an array of base64-encoded strings which are AES-obfuscated and indexed for runtime decryption.
The decryption routine converts each base64 entry, takes the first 16 bytes as an IV (array2) and treats the remainder as the encrypted blob (array3); each file uses a unique key and the IV to decrypt code used at runtime. To persist, the payload writes itself into HKCUEnvironmentUserInitMprLogonScript, and it continuously checks the foreground window title against hardcoded Brazilian banking application names—only attempting C2 contact when a targeted application is active.
Before initiating C2, Coyote imports an embedded, encrypted X.509 certificate used for authentication and secure communication; the server responds with a delimited command string whose first segment length determines one of roughly 25+ remote actions (examples: screenshot capture and upload, keylogging, window/process manipulation, starting processes, registry iteration/modification). Operators host multiple domains and MD5-identified payloads that analysts can use to detect and block this activity.