A new variant of the Coyote banking trojan has been discovered, marking the first instance of malware exploiting Microsoft's UI Automation (UIA) framework to steal sensitive banking and cryptocurrency credentials. This sophisticated technique allows the malware to bypass traditional security measures by interacting directly with the Windows user interface.

Coyote's New Trick: Abusing Microsoft's UI Automation

Researchers at Akamai have identified a significant evolution in the Coyote malware's tactics. Previously known for employing keylogging and phishing overlays, this latest version now leverages Microsoft's UI Automation (UIA) framework. UIA is an accessibility feature designed to help assistive technologies interact with software. However, cybercriminals are now weaponizing it to gain programmatic access to UI elements, enabling them to extract data from applications.

• First of its Kind: Coyote is the first known malware to actively abuse the UIA framework in the wild.

• Targeting Brazilian Users: The current campaign primarily targets users in Brazil, with a focus on credentials for 75 different banking and cryptocurrency exchange websites.

• Evasion Tactic: By using UIA, the malware can bypass many Endpoint Detection and Response (EDR) solutions that might otherwise flag its activities.

How the Attack Works

The malware operates by first attempting to identify targeted financial services by checking the titles of active windows using a standard Windows API. If the active window's title doesn't match its hardcoded list of financial institutions, Coyote then employs the UIA framework. It uses UIA to parse through the UI elements of the active window, specifically looking for browser tabs or address bars. The content of these elements is then cross-referenced with the malware's extensive list of targeted financial entities.

This method allows Coyote to identify which banking or cryptocurrency sites a user is visiting, even if they are using web-based services within a browser. The malware also collects system information, including computer name, username, and browser data, sending it back to its command-and-control server.

Broader Implications and Defense

While this specific variant is currently focused on Brazilian users, security experts warn that such attack vectors are often tested in specific regions before being deployed globally. The abuse of UIA highlights a growing trend where legitimate system features are repurposed for malicious activities. This underscores the ongoing cat-and-mouse game between cybersecurity professionals and threat actors, who continuously adapt their methods to evade detection.

To defend against such threats, organizations are advised to enhance their EDR tools and monitor for unusual UIA activity. This includes looking for the loading of into unfamiliar processes or processes interacting with UIA-related named pipes, which can serve as early warning signs of compromise.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Akamai Identifies Coyote Malware Variant Capable of Compromising Microsoft UIA Framework, Security Boulevard.

• Coyote Trojan First to Use Microsoft UI Automation in Bank Attacks, Hackread.

• Coyote Banking Trojan First to Abuse Microsoft UIA, SecurityWeek.

• This malware uses Windows features to steal your banking credentials, NewsBytes.

• Coyote malware abuses Windows accessibility framework for data theft, BleepingComputer.