Coyote Malware Exploits Windows Accessibility to Hijack Financial Data

Coyote Malware: A New Breed of Threat Exploiting Windows Accessibility to Steal Banking and Crypto Credentials

The Coyote banking trojan has returned with a more dangerous variant, marking a new chapter in cyber threat evolution. This latest version has become the first malware observed in the wild to exploit Windows UI Automation (UIA) — a feature originally intended to assist users with disabilities and support application testing.

Instead of leveraging traditional methods, this trojan weaponizes a “harmless-looking” system feature to silently extract sensitive information from over 75 banking and cryptocurrency platforms in Brazil.

Key Characteristics of the New Coyote Variant

• Utilizes Windows UI Automation (UIA) to analyze application window content directly
• Able to steal data without relying on visible URLs or browser window titles
• Targets users of Brazilian banks and crypto exchanges
• No need for keyloggers or phishing overlays as used in previous versions
• Can operate offline, scanning and collecting data without connecting to a command-and-control server

Attack Methodology

1. System Profiling
   The malware begins by collecting system information such as computer name, username, and operating system details.
   
   
2. Window Title Scanning
   It checks the title of the currently active window to match against a list of known banking or crypto platforms.
   
   
3. UI Automation Parsing
   If no direct match is found, Coyote leverages UI Automation to “read and interpret” the visual elements inside the active window — such as the URL in the address bar or tab labels.
   
   
4. Credential Capture
   Once a targeted service is detected, the malware activates credential harvesting techniques like keystroke logging, username/password capture, or token interception.

Organizational Risks

Though the current campaign focuses on Brazil, the implications are global. This malware:

• Uses legitimate Windows APIs (UIA) for reconnaissance
• Accesses sensitive UI-level information without breaching the network layer
• Can function without internet connectivity, making it stealthier and harder to detect

These factors allow Coyote to evade traditional defense tools, including antivirus software and basic firewall setups — making it a “silent threat” that blends in with normal system behavior.

How to Defend Against UIA-Based Threats

Organizations should prepare by implementing the following strategies:

Monitor System Behavior

• Detect unknown processes that load UIAutomationCore.dll
• Monitor named pipes beginning with UIA_PIPE_*, which may indicate malicious UIA activity

Enforce Security Controls

• Restrict UIA access to only trusted applications
• Deploy EDR or XDR solutions that provide real-time behavior analytics
• Keep systems fully patched and updated

Educate Your Workforce

• Warn users not to open suspicious .zip or .lnk attachments
• Provide training on how to identify unusual behavior when using banking or financial platforms

Summary

Coyote is a clear example of how modern malware can bypass traditional defenses not by hacking systems, but by understanding and interacting with what users see on their screens — using APIs that were never designed to be harmful.

This reminds us that in today’s digital landscape, security teams must look beyond traditional threats and start scrutinizing even “trusted” system features that can be exploited in creative ways.

If your organization needs guidance on how to detect and prevent UI Automation abuse, our cybersecurity experts are here to help.

Contact BigFish Technology

Tel. : (236) 997-9648

Email : [email protected]

Website: www.bigfishtec.com