CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats

Coyote Banking Trojan First to Abuse Microsoft UIA

Akamai’s analysis of the Coyote malware revealed that it abuses Microsoft’s UIA accessibility framework to obtain data. The post Coyote Banking Trojan First to Abuse Microsoft UIA appeared first on SecurityWeek.

Coyote malware

Akamai has analyzed a recent variant of the Coyote banking trojan and found that it abuses Microsoft’s UI Automation (UIA) framework to obtain data from compromised devices.

In fact, Akamai says Coyote is the first piece of malware to abuse the UIA framework.

The malware has been around since at least February 2024, being used to target Windows devices in Latin America. It leverages keylogging and phishing overlays to collect victims’ data, particularly credentials for banking and cryptocurrency services. 

UIA is an accessibility framework for Windows applications, providing programmatic access to UI elements on the desktop. “It enables assistive technology products, such as screen readers, to provide information about the UI to end users and to manipulate the UI by means other than standard input,” according to Microsoft.

Akamai warned in December 2024 that threat actors could exploit UIA for malicious purposes by getting a user to run a specially crafted application that leverages the framework. 

The company’s researchers showed how an attacker could abuse UIA for stealthy command execution, browser redirections, and sensitive data theft. Attacks work on any version of Windows since XP and they can bypass endpoint detection and response solutions. 

Akamai recently discovered that the risk is not just theoretical, and malware developers have started abusing UIA, with Coyote apparently being the first piece of malware to do so in the wild.

While UIA could be abused to steal sensitive data, Coyote developers are abusing it to determine which financial services are being used by the victim. The malware first uses a Windows API to obtain the title of opened windows in an effort to see if they match a list of hardcoded website addresses associated with banks and cryptocurrency services. 

If it doesn’t find a match, the malware uses UIA to “parse through the UI child elements of the window”. This enables it to check browser tabs and address bars to see if they match the hardcoded website addresses. 

“Without UIA, parsing the sub-elements of another application is a nontrivial task,” Akamai’s Tomer Peled explained in a blog post. “To be able to effectively read the contents of sub-elements within another application, a developer would need to have a very good understanding of how the specific target application is structured.”

“Coyote can perform checks, regardless of whether the malware is online or operating in an offline mode. This increases the chances of successfully identifying a victim’s bank or crypto exchange and stealing their credentials,” Peled added.

Related: New Interlock RAT Variant Distributed via FileFix Attacks

Related: Lumma Stealer Malware Returns After Takedown Attempt

Related: Iranian APT Targets Android Users With New Variants of DCHSpy Spyware

Latest News

CYBERNEWSMEDIAPublisher