Coyote Banking Trojan: A Stealthy Attack via LNK Files

Jan. 31, 2025, 11:06 a.m.

Description

A sophisticated multi-stage attack utilizing LNK files to deliver the Coyote Banking Trojan has been identified, primarily targeting Brazilian financial applications. The malware employs PowerShell commands, shellcode injection, and registry manipulation to establish persistence and evade detection. It monitors user activity, captures sensitive information from over 1,000 targeted websites and 73 financial agents, and communicates with command and control servers. The Trojan's capabilities include keylogging, screenshot capture, and displaying phishing overlays. This complex attack highlights the need for robust cybersecurity measures to protect against evolving threats in the financial sector.

External References

https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files
https://otx.alienvault.com/pulse/679c9dacc16ec287700f1d0c
Tags
phishing
lnk files
2025-01-31
coyote banking trojan

Date

  • Created: Jan. 31, 2025, 9:53 a.m.
  • Published: Jan. 31, 2025, 9:53 a.m.
  • Modified: Jan. 31, 2025, 11:06 a.m.

Attack Patterns

  • Coyote Banking Trojan
  • T1564.004
  • T1124
  • T1497.001
  • T1059.001
  • T1571
  • T1547.001
  • T1056.001
  • T1113
  • T1204.002
  • T1106
  • T1082
  • T1055
  • T1140
  • T1027
  • T1112

Additional Informations

  • Finance
  • Brazil