Threat Research

Coyote: A multi-stage banking Trojan abusing the Squirrel installer

SecureList

Coyote is a multi-stage Brazilian banking Trojan that abuses the Squirrel installer to deploy a Node.js/Electron loader which then uses DLL sideloading and a Nim-based loader to execute a .NET banker in memory. It persists via Windows logon scripts, communicates with a mutual-TLS C2 using an embedded certificate, and supports keylogging, screenshots and phishing overlays. #Coyote #Squirrel.Windows #NimLang #OBSStudio

Keypoints

  • Distribution uses the Squirrel installer packaging an Electron (Node.js) app that runs an obfuscated preload.js to stage payloads.
  • The Node.js loader copies executables from a local “temp” folder to Videoscaptures and launches a signed application (obs-browser-page.exe) to begin execution.
  • The banker is loaded via DLL sideloading of libcef.dll from legitimate binaries (Chrome/OBS-related executables).
  • A Nim-written loader unpacks a .NET executable and executes it in memory using the CLR, similar to Donut-style execution.
  • Persistence is achieved by inserting obs-browser-page.exe into the HKCU Environment UserInitMprLogonScript registry value (logon scripts).
  • C2 uses mutual TLS with an attacker certificate stored encrypted in resources; commands are encoded as strings whose length determines the action (screenshots, overlays, keylogger, kill process, etc.).
  • Strings are obfuscated using AES with per-executable random keys and base64-encoded entries; telemetry shows the campaign targets ~61 Brazilian banking apps.

MITRE Techniques

  • [T1574.002] DLL Side-Loading – DLL sideloading is used to load the banker via a dependency (libcef.dll). (‘DLL sideloading occurs in the libcef.dll library.’)
  • [T1547.003] Logon Scripts – Persistence by inserting the signed application path into the user logon script registry value. (‘it inserts the registry value as the full path to the signed application, in this case, obs-browser-page.exe.’)
  • [T1056.001] Input Capture: Keylogging – C2 can enable a keylogger on demand. (‘ranging from keylogging to taking screenshots.’)
  • [T1113] Screen Capture – The Trojan can take screenshots when instructed by the C2. (‘ranging from keylogging to taking screenshots.’)
  • [T1573] Encrypted Channel – Command-and-control uses SSL with mutual authentication and a stored attacker certificate. (‘The Trojan establishes communication … using SSL channels with a mutual authentication scheme.’)
  • [T1027] Obfuscated Files or Information – The malware uses AES-based string obfuscation with base64-encoded entries and per-item IVs. (‘Coyote does not implement any code obfuscation and only uses string obfuscation with AES encryption.’)
  • [T1057] Process Discovery – The banker monitors open applications and waits for specific banking apps or websites to be accessed. (‘it monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed.’)
  • [T1055] Process Injection / In-memory Execution – A Nim loader unpacks a .NET executable and executes it in memory using the CLR (Donut-like technique). (‘The loader’s objective is to unpack a .NET executable and execute it in memory using the CLR.’)

Indicators of Compromise

  • [MD5 hash] Host-based sample hashes – 03eacccb664d517772a33255dff96020, 071b6efd6d3ace1ad23ee0d6d3eead76, and 3 more hashes.
  • [C2 domain] Command-and-control domains – atendesolucao[.]com, servicoasso[.]com, and 5 more domains (e.g., dowfinanceiro[.]com).
  • [File name] Execution and sideloading artifacts – obs-browser-page.exe (persistence entry point), libcef.dll (sideloaded library).
  • [Folder names] Staging folders used by loader – ‘temp’ (source staging) and ‘captures’ inside Videos (deployed executables).

The infection chain begins with a malicious Squirrel installer that launches an Electron (Node.js) application. That application runs an obfuscated preload.js which copies executables from a local “temp” folder into a Videoscaptures folder and then executes a signed binary (obs-browser-page.exe). Legitimate-looking binaries (Chrome/OBS variants) are abused so that libcef.dll is sideloaded, allowing the attacker-controlled DLL to be loaded as a dependency.

Next, a Nim-written loader is invoked to unpack an embedded .NET payload and execute it directly in memory via the CLR (a Donut-like technique), avoiding dropping the final payload to disk. The .NET banker uses AES-encrypted, base64-encoded string tables with per-executable random keys and IVs; strings are decrypted on demand by index. Persistence is achieved by writing the full path of the signed binary into the HKCU Environment UserInitMprLogonScript registry value so obs-browser-page.exe runs at user logon.

For command-and-control, the malware uses mutual TLS with an attacker certificate stored encrypted in resources and decrypted via .NET X509 APIs. The agent reports machine name, GUID and the active banking application; the server responds with a delimited string whose first field (determined by the random string length) indicates commands such as screenshot capture, display of phishing overlays, keylogging, cursor movement, process termination or shutdown. The campaign targets many Brazilian banking applications and relies on these multi-stage techniques to evade detection and run the banker entirely in-memory.

Read more: https://securelist.com/coyote-multi-stage-banking-trojan/111846/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint