Cybersecurity scholars uncover new malware strain exploiting Microsoft technology for illicit acquisition of confidential banking user information.
In a concerning development for digital security, a new variant of the Coyote banking trojan has been observed to exploit Microsoft's UI Automation (UIA) framework in the wild. This malware targets Brazilian users across 75 banks and cryptocurrency platforms [1][2][3][4].
How Coyote Abuses UI Automation
The Coyote malware takes advantage of UIA, a Microsoft accessibility framework designed to enable automated interaction with UI elements of Windows applications. Typically used by assistive technologies to access application interfaces safely and reliably, Coyote abuses this framework to parse and extract detailed UI information from other applications, such as web browsers [1][3].
The process begins with the malware calling the GetForegroundWindow() Windows API to get the title of the active window and compare it to a hardcoded list of 75 targeted banking or crypto-related URLs [3]. If the active window’s title does not match any target, Coyote uses UIA to "dig deeper" into sub-elements of the window (such as browser tabs or address bars) to identify hidden or indirect references to its targeted websites [1][3].
This approach allows the malware to extract hidden web addresses and interface elements that reveal which bank or crypto platform the user is interacting with. Moreover, Coyote can perform this targeting both online and offline, increasing its chance of successfully identifying the victim’s targeted financial institution or crypto exchange [2][3].
With UIA, Coyote can efficiently analyze and steal credentials by interacting with complex UI structures without needing extensive knowledge of the target application's architecture, a historically challenging aspect of such attacks [3]. In addition to UI Automation abuse, this Coyote variant continues to employ traditional banking trojan techniques like keylogging, phishing overlays, and screenshot capture to harvest sensitive banking data [1][2].
Other Notable Developments in the Crypto and Tech Sphere
Meanwhile, in other news, a trader predicts a potential 76% rally for Dogecoin, forming a bullish pattern. Bitcoin, on the other hand, is still in an early-stage bullish setup, according to an analytics platform.
Elsewhere, Bitcoin miner Marathon Digital Holdings, backed by Peter Thiel, now holds $1,000,000,000 worth of Ethereum in a bid to become the MicroStrategy of ETH. The weakening of the US Dollar is considered good news for Bitcoin at this stage of the cycle by analyst Jason Pizzino, but there's a catch.
There is no new information about Pepeto's $5.5 million presale and demo trading platform, Valhalla's first-ever tournament, Meet the Most Valuable Builder Season 10 Cohort, Remittix's $17 million presale, BioSig Technologies and Streamex's real-world asset tokenization, Zircuit's AI trading engine, or G Coin surpassing one million daily on-chain transactions.
[1] [Source 1] [2] [Source 2] [3] [Source 3] [4] [Source 4]
- The exploitation of UI Automation by the Coyote malware is not only limiting itself to stealing credentials for financial institutions, but it also targets cryptocurrency platforms, posing a significant threat to the cybersecurity of the entire digital finance sector.
- As the crypto market continues to evolve, traders are forecasting a potential 76% rally for Dogecoin, while Bitcoin is still in an early bullish setup, according to an analytics platform.
- Amidst these developments, Bitcoin miner Marathon Digital Holdings, with Peter Thiel's backing, has amassed $1,000,000,000 worth of Ethereum, aiming to emulate the strategic approach of MicroStrategy with Ethereum.
