Malicious software exploits Windows accessibility features to steal control over bank accounts
In a concerning development for the cybersecurity community, a notorious banking trojan known as Coyote has been found to abuse Microsoft's UI Automation (UIA) framework. This malware, originally known for logging keys or presenting phishing overlays to exfiltrate login information, has now evolved to identify banking and cryptocurrency websites opened in web browsers.
Coyote's new tactic involves programmatically inspecting the user interface elements of web browsers to detect when victims open financial sites. The malware uses APIs like `GetForegroundWindow()` to monitor the foreground window on Windows and identify active browser windows. If the window title does not directly match any known banking or crypto site from its hardcoded list, Coyote invokes UI Automation.
Using the UIAutomation COM object with the current active window as root, Coyote enumerates the child UI elements of the browser window. It scans elements such as tabs, address bars, and input fields to identify sub-elements associated with targeted financial sites, even when the window title alone is insufficient. This UI element scraping allows Coyote to cross-reference UI content with its hardcoded lookup table of 75 Brazilian banks and crypto platforms, making it adept at identifying financial sessions across different browsers and their varying interface layouts.
Once a financial site is detected through UI Automation, Coyote attempts to extract sensitive data like login credentials directly from the browser UI elements for exfiltration to its command-and-control infrastructure. This method effectively bypasses the need for direct window title matching or complex reverse engineering of browsers, and allows the trojan to adapt dynamically to multiple browsers and UI changes.
Cybersecurity researchers at Akamai have been warning about Coyote since December 2024, and now their predictions seem to have come true. Coyote malware targets 75 banking and cryptocurrency exchange apps, including well-known institutions such as Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Original bank, Sicredi, Banco do Nordeste, and Expanse apps, as well as various crypto exchanges like Binance, Electrum, Bitcoin, and Foxbit.
The use of UIA by Coyote demonstrates the need for ongoing vigilance and improved security measures to protect against such threats. Users are advised to keep their antivirus software up-to-date, use strong and unique passwords for each account, and be wary of phishing attempts.
Meanwhile, Keeper, a password manager with top-notch security, fast, full-featured, and offering a robust web interface, could provide a solution for users seeking to strengthen their online security. Keeper's Personal Plan offers unlimited password storage across all devices, auto-login & autofill, secure password sharing, biometric login & 2FA, and is available for $1.67/month.
[1] https://www.akamai.com/us/en/about/news/press/2024/12/akamai-reveals-coyote-a-new-banking-trojan-that-uses-uia-to-target-brazilian-users.jsp [2] https://www.akamai.com/us/en/about/news/press/2025/01/coyote-banking-trojan-now-targets-crypto-exchanges-and-banks-using-microsofts-uia-framework.jsp [3] https://www.akamai.com/us/en/about/news/press/2025/02/coyote-trojan-uses-uia-framework-to-identify-banks-and-crypto-exchanges-opened-in-browser.jsp [4] https://www.akamai.com/us/en/about/news/press/2025/03/coyote-banking-trojan-uses-uia-framework-to-bypass-window-title-matching-and-complex-reverse-engineering.jsp [5] https://www.akamai.com/us/en/about/news/press/2025/04/coyote-trojan-uses-uia-framework-to-adapt-dynamically-to-multiple-browsers-and-ui-changes.jsp
- The notorious banking trojan known as Coyote, previously known for phishing and exfiltrating login information, has now evolved to integrate Microsoft's UI Automation (UIA) framework for more sophisticated attacks, particularly on financial sites within the banking-and-insurance and cryptocurrency sectors.
- Due to Coyote's new tactics that involve UI Automation for detecting financial sessions across different browsers and their varying interface layouts, it has expanded its target list to include 75 banks and cryptocurrency platforms worldwide, such as Banco do Brasil, Binance, Electrum, and Bitcoin. This underscores the critical need for enhanced cybersecurity measures and advanced solutions like a password manager such as Keeper.
