New Coyote malware uses Windows UI Automation to steal banking credentials, targeting Brazilian users across 75 banks and crypto platforms.
Coyote malware is now the first to exploit Microsoft’s UI Automation framework in the wild, validating prior warnings from Akamai researchers in December 2024. The UI Automation (UIA) framework is a Microsoft accessibility framework that enables automated access to the user interface (UI) of Windows applications.
In February, FortiGuard Labs researchers detected a campaign using LNK files executing PowerShell commands to deploy the Coyote Banking Trojan. Threat actors target Brazilian users by stealing financial data, the malware can harvest sensitive information from over 70 financial applications and numerous websites. The Coyote Banking Trojan supports multiple malicious functions, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials.
“Coyote now leverages UIA as part of its operation. Like any other banking trojan, Coyote is hunting banking information, but what sets Coyote apart is the way it obtains this information, which involves the (ab)use of UIA.” reads the report published by Akamai.
The Coyote malware collects system details and focuses on identifying victims’ financial services. It first checks the active window’s title against a list of 75 bank and crypto site addresses. If no match is found, it uses Microsoft’s UI Automation (UIA) framework to dig into UI elements like browser tabs. This allows Coyote to extract hidden web addresses and match them to its target list. UIA gives attackers an easy way to analyze other apps’ sub-elements, even offline, increasing the chances of credential theft.
Malware authors are rapidly adopting Microsoft’s UI Automation (UIA) for new attack methods. Beyond reading UI elements, attackers can now extract sensitive data and manipulate UI components for stealthy social engineering techniques, such as altering browser address bars and redirecting users with minimal visual cues.
To detect abuses of the UI Automation (UIA), researchers recommend that admins should monitor for the UIAutomationCore.dll loaded by unknown processes and for specific named pipes (e.g., UIA_PIPE_*). Queries using osquery can help spot these signs.
“Although UIA may seem like a harmless tool, as we highlighted in our previous blog post, abusing its capabilities can lead to serious damage for organizations. By exposing Coyote’s tactics, we hope defenders will be better equipped with multiple ways to detect and respond to this threat.” concludes the report. “We believe UIA represents a viable and dangerous attack vector that warrants serious attention — and one we’re likely to see increased abuse of in the future.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Coyote malware)