A sophisticated banking malware called Coyote is actively targeting Windows users in Brazil, according to recent findings by Fortinet FortiGuard Labs. The malware, first identified by Kaspersky in early 2024, has evolved to target over 1,030 websites and 73 financial institutions.

The latest attack vector utilizes Windows Shortcut (LNK) files containing PowerShell commands to deliver the malware. Once infected, Coyote employs various malicious capabilities, including:
– Keylogging
– Screenshot capture
– Phishing overlay deployment
– System information gathering
– Anti-virus detection evasion

The infection process follows a complex, multi-stage approach:
1. LNK file execution triggers initial PowerShell command
2. Secondary payload retrieval from remote server
3. Loader deployment using Donut tool
4. Registry modification for persistence
5. Base64-encoded data exfiltration

Notable targets include prominent cryptocurrency exchanges and hotels:
– MercadoBitcoin
– BitcoinTrade
– Foxbit
– Various hotel booking platforms

The malware actively evades detection by monitoring for sandbox environments and virtual machines. When users access targeted websites, Coyote communicates with command servers to determine specific actions, potentially compromising sensitive financial credentials and user data.

This enhanced version of Coyote represents a significant evolution from its earlier variants, demonstrating increased sophistication in both its targeting capabilities and evasion techniques.