The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information.
“The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges,” Akamai security researcher Tomer Peled said in an analysis.
Coyote, first revealed by Kaspersky in 2024, is known for targeting Brazilian users. It comes with capabilities to log keystrokes, capture screenshots, and serve overlays on top of login pages associated with financial enterprises.
Part of the Microsoft .NET Framework, UIA is a legitimate feature offered by Microsoft to allow screen readers and other assistive technology products to programmatically access user interface (UI) elements on a desktop.
That UIA can be a potential pathway for abuse, including data theft, was previously demonstrated as a proof-of-concept (PoC) by Akamai in December 2024, with the web infrastructure company noting that it could be used to steal credentials or execute code.
In some ways, Coyote’s latest modus operandi mirrors the various Android banking trojans that have been spotted in the wild, which often weaponize the operating system’s accessibility services to obtain valuable data.
Akamai’s analysis found that the malware invokes the GetForegroundWindow() Windows API in order to extract the active window’s title and compare it against a hard-coded list of web addresses belonging to targeted banks and cryptocurrency exchanges.
“If no match is found Coyote will then use UIA to parse through the UI child elements of the window in an attempt to identify browser tabs or address bars,” Peled explained. “The content of these UI elements will then be cross-referenced with the same list of addresses from the first comparison.”
As many as 75 different financial institutions are targeted by the latest version of the malware, up from 73 documented by Fortinet FortiGuard Labs earlier this January.
“Without UIA, parsing the sub-elements of another application is a nontrivial task,” Akamai added. “To be able to effectively read the contents of sub-elements within another application, a developer would need to have a very good understanding of how the specific target application is structured.”
“Coyote can perform checks, regardless of whether the malware is online or operating in an offline mode. This increases the chances of successfully identifying a victim’s bank or crypto exchange and stealing their credentials.”
