Article Details

Coyote malware abuses Microsoft's UI Automation to hunt banking creds. Some coyotes hunt squirrels, this one hunts users' financial apps. A new variant of the Coyote banking trojan abuses Microsoft's UI Automation (UIA), making it the first reported malware to use UIA for credential theft. According to Akamai, which documented the UIA abuse in a Tuesday report, this Coyote variant is being aimed at Brazilians, and has already used the Microsoft accessibility framework to pilfer user credentials linked to 75 banking institutes' web addresses and cryptocurrency exchanges. UIA is an accessibility framework for Windows that allows assistive technology products — like screen readers —  and automated testing tools to interact with and retrieve information about the user interface elements of other applications.  While it's intended to make apps more accessible to users with disabilities, criminals will find a way to abuse just about any software tool, even ones built with the best of intentions. Last December, Akamai security researcher Tomer Peled detailed how attackers could abuse UIA to steal credentials and execute code, along with proofs-of-concept. Shortly after, "our concerns were validated when a variant of the banking trojan malware Coyote was observed abusing UIA in the wild — marking the first known case of such exploitation," Peled said in the report. Coyote malware, first spotted in February 2024, uses various techniques such as keylogging and phishing overlays to evade antivirus and endpoint-security products and steal banking information. It's novel in that is uses the Squirrel tool (get it? Coyotes hunt squirrels!) to install and update Windows desktop apps, thus hiding its initial loader by masquerading as an update packager. Now it's added a new weapon to its arsenal: UIA to hunt people's banking information. Here's how it works: First, during the infection process, Coyote sends the attacker's command-and-control server information about each victim, including their user name, computer name, and — this one is key — the financial services they use. It does this by using the GetForegroundWindow() Windows API to obtain an active window handle, and then compares the window title to a list of hardcoded web addresses belonging to targeted banks and crypto exchanges.  If the windows don't match the financial services addresses, Coyote then uses UIA to scan all the UI child elements of the window, hoping to identify browser tabs or address bars. These UI elements are then cross-referenced with the same pre-defined web address list. Coyote classifies the banks and crypto exchanges using their name or web address, and each class includes different addresses — Akamai puts the total number at 75. So, for example, Santander bank as four different web addresses, Expanse apps have nine, Banco do Nordeste has eight, and so on. "Without UIA, parsing the sub-elements of another application is a nontrivial task," Peled notes. "To be able to effectively read the contents of sub-elements within another application, a developer would need to have a very good understanding of how the specific target application is structured." Coyote simplifies this task via UI Automation's capabilities, and periodically checks whether the malware is online or in offline mode. Eventually, when the user navigates to a banking site that Coyote has been scanning for and enters their credentials, off they go to the command-and-control server, and the next step is to drain the user's account.