A recently identified variant of the Coyote banking trojan is making waves in the cybersecurity community, as it utilizes Microsoft’s UI Automation (UIA) framework to extract banking credentials from unsuspecting users. Cybersecurity researchers at Akamai have confirmed that this malware, detected in attacks aimed at Brazilian users, represents the first active use of UIA by malicious software, marking a significant evolution in how financial targets are approached.
Previously viewed as merely a theoretical risk, the exploitation of Microsoft’s UIA – designed to assist technologies with the interaction of software – has become a concerning reality. In December 2024, Akamai issued warnings about the potential misuse of this framework by cybercriminals in their blog post. The emergence of the Coyote trojan has validated those concerns, showcasing how this malware can extract sensitive information from browser windows linked to banking and cryptocurrency platforms.
This particular variant of Coyote, known for its phishing overlays and keylogging tactics targeting Latin American financial institutions, has notably adapted its methodology. The trojan now leverages UIA to evade detection by traditional endpoint detection and response tools, making it difficult for security systems to identify its malicious activities. Instead of merely checking whether a victim is visiting a recognized banking site, Coyote now employs a UIA COM object to navigate through the components of active windows, searching for indicators of financial transactions.
Akamai’s findings highlight that Coyote holds a hardcoded list of 75 financial institutions and cryptocurrency exchanges, allowing it to not just identify potential targets but also categorize them in a manner that optimizes its credential-stuffing attempts. The malware’s ability to adjust dynamically increases its effectiveness across various applications and browsers, raising the stakes for cybersecurity defenses. Given these developments, Akamai stresses the importance of monitoring for signs of UIA misuse, urging organizations to keep an eye out for unusual loading of `UIAutomationCore.dll` in processes and other anomalies associated with UIA-related named pipes.