Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions

逆向病毒分析 2个月前 admin

79 0 0

Summary 总结

Increased global trade and the growth of the Latin American (LATAM) market has made the region an increasingly attractive target for cyber criminals in recent years. The World Economic Forum noted in their January 2024 Global Cybersecurity Outlook report that LATAM had a high number of “insufficiently cyber-resilient organizations,” with government and financial institutions topping the list of targets.
近年来，全球贸易的增加和拉丁美洲（LATAM）市场的增长使该地区成为网络犯罪分子越来越有吸引力的目标。世界经济论坛在其 2024 年 1 月的《全球网络安全展望》报告中指出，拉丁美洲拥有大量“网络弹性不足的组织”，其中政府和金融机构位居目标之首。

Coyote is a .NET banking Trojan that has been observed targeting Brazilian financial institutions, primarily banks. It has an execution chain that clearly distinguishes it from other banking Trojans. First identified by researchers in February 2024, Coyote got its name due to the fact it abuses Squirrel, a valid non-malicious software to manage the installation and update of Windows applications.
Coyote 是一种 .NET 银行木马，已被观察到针对巴西金融机构（主要是银行）的木马。它有一个执行链，可以清楚地将其与其他银行木马区分开来。Coyote 于 2024 年 2 月首次被研究人员发现，因其滥用 Squirrel 而得名，Squirrel 是一种有效的非恶意软件，用于管理 Windows 应用程序的安装和更新。

During a Coyote attack, a legitimate open-source OBS file and the Chromium Embedded Framework (CEF) dynamic linked library (DLL) are injected with a compromised DLL. The compromised DLL uses the Nim programming language to load the Coyote banking Trojan and harvest user financial information, with persistence on the system.
在 Coyote 攻击期间，合法的开源 OBS 文件和 Chromium 嵌入式框架（CEF）动态链接库（DLL）被注入了受损的 DLL。受感染的 DLL 使用 Nim 编程语言加载 Coyote 银行木马并收集用户财务信息，并在系统上持久化。

In this blog we’ll take a closer look at Coyote’s infection vector and execution chain.
在这篇博客中，我们将仔细研究 Coyote 的感染媒介和执行链。

Affected Operating Systems
受影响的操作系统

Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions

Technical Analysis 技术分析

Infection Vector 感染媒介

While we didn’t have direct observation of the delivery method during our analysis of the Coyote Trojan, this malware would typically be delivered via phishing, with the user being enticed to click a malicious link rather than the Trojan being delivered as an attachment. This is due to the unusually large file size (+170 MB) of the Trojan; an email with such a large file as an attachment would likely bounce back from email systems that limit or block emails with large file sizes.
虽然我们在分析 Coyote 木马时没有直接观察传递方法，但这种恶意软件通常会通过网络钓鱼传递，诱使用户点击恶意链接，而不是将特洛伊木马作为附件传递。这是由于特洛伊木马的文件大小异常大（+170 MB）;包含如此大文件作为附件的电子邮件可能会从限制或阻止大文件大小的电子邮件的电子邮件系统退回。

The names of files found that were written in Brazilian Portuguese corroborate with the targets being solely Brazilian victims. Examples of filenames used during the attack include:
发现的用巴西葡萄牙语书写的文件名称证实，目标只是巴西受害者。攻击期间使用的文件名示例包括：

Pdfpapel327088636055.zip (“papel” = paper)
Pdfpapel327088636055.zip（“papel”=纸）
Pdfmensal4669787638.zip (“mensal” = monthly)
Pdfmensal4669787638.zip（“月经”=每月）

Analysis 分析

Upon execution of the main malicious file, for example pdfpapel327088636055.exe, the Squirrel update process is started:
在执行主恶意文件（例如pdfpapel327088636055.exe）时，将启动 Squirrel 更新过程：
“C:\Users\<username>\AppData\Local\SquirrelTemp\Update.exe” — install.
“C：\Users\<username>\AppData\Local\SquirrelTemp\Update.exe” — 安装。

The update process also starts execution of “designlesotho.exe”:
更新过程也开始执行“designlesotho.exe”：
“C:\Users\<username>\AppData\Local\designlesotho\app-0.7.2\designlesotho.exe” — Squirrel-install 0.7.2
“C：\Users\<username>\AppData\Local\designlesotho\app-0.7.2\designlesotho.exe” — 松鼠安装 0.7.2

Finally, via cmd.exe, the following is executed: OBS “obs-browser-page.exe”:
最后，通过cmd.exe，执行以下操作：OBS“obs-browser-page.exe”：
“C:\Windows\system32\cmd.exe /d /s /c “C:\Users\Admin\Videos\Captures\obs-browser-page.exe”
“C：\Windows\system32\cmd.exe /d /s /c ”C：\Users\Admin\Videos\Captures\obs-browser-page.exe”

Figure 1: Process Tree of the initial execution to obs-browser-page.exe.
图 1：要obs-browser-page.exe的初始执行的进程树。

Persistence is achieved via the Registry:
持久性是通过注册表实现的：
HKEY_CURRENT_USER\Environment\UserInitMprLogonScript
C:\Users\<username>\Videos\Captures\obs-browser-page.exe
C：\用户\<username>\视频\捕获\obs-browser-page.exe

Upon execution of the non-malicious obs-browser-page.exe (SHA256: ec605cc14c60e30682e84ec87d19034f7bd1399025ca11fbf3c4adeed85fadf0), the Squirrel update process loads libcef.dll (SHA256: e1c48e87d7386dc2edd54a1d3ac73d4af7e63eb2fc4f26f59ff15a9dd1dc1ac6). This is a non-malicious Google Chrome DLL vulnerable to DLL sideloading that finally loads the malicious chrome_elf.dll (SHA256: 110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79).
执行非恶意obs-browser-page.exe（SHA256：ec605cc14c60e30682e84ec87d19034f7bd1399025ca11fbf3c4adeed85fadf0）后，Squirrel 更新进程将加载libcef.dll （SHA256： e1c48e87d7386dc2edd54a1d3ac73d4af7e63eb2fc4f26f59ff15a9dd1dc1ac6）。这是一个非恶意的 Google Chrome DLL，容易受到 DLL 旁加载的影响，最终会加载恶意chrome_elf.dll（SHA256：110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79）。

The final DLL, chrome_elf.dll, is a Nim loader that executes the embedded Coyote banking Trojan in memory (SHA256: e3d9cb8f4385a63e70305de36f8366e0b86d183322e860029455f145404c7e9c).
最后一个 DLL chrome_elf.dll 是一个 Nim 加载程序，用于执行内存中嵌入的 Coyote 银行木马（SHA256： e3d9cb8f4385a63e70305de36f8366e0b86d183322e860029455f145404c7e9c）。

Nim is a fairly new multi-platform programming language which combines successful concepts from mature languages like Python, Ada and Modula.
Nim 是一种相当新的多平台编程语言，它结合了 Python、Ada 和 Modula 等成熟语言的成功概念。

Figure 2: Non-malicious file “obs-browser-page-exe” and “libcef.dll” along with the malicious “chrome_elf.dll.”
图 2：非恶意文件“obs-browser-page-exe”和“libcef.dll”以及恶意“chrome_elf.dll”。

Once executed, the Coyote banking Trojan keeps checking the title of the file or Internet browser window. Only when the window title matches one of the targets — mentioned below in the Targets section — does it start communication with its command-and-control (C2) servers.
一旦执行，Coyote 银行木马会不断检查文件或 Internet 浏览器窗口的标题。只有当窗口标题与其中一个目标（在下面的“目标”部分中提到）匹配时，它才会开始与其命令和控制（C2）服务器进行通信。

Coyote can run a total of 24 commands and functions, including taking screenshots of a user’s activity, showing full-screen overlay windows (including an overlay of a fake banking app), making registry changes, moving the user’s mouse, machine shutdown and keylogging.
Coyote 总共可以运行 24 个命令和功能，包括截取用户活动的屏幕截图、显示全屏覆盖窗口（包括虚假银行应用程序的覆盖）、进行注册表更改、移动用户的鼠标、机器关闭和键盘记录。

Figure 3: Coyote keylogger command.
图 3：Coyote 键盘记录器命令。

Communication 通信

Coyote uses the WatsonTCP library for communication. On the specific campaign we observed, the binary randomly selects one of the following C2s:
Coyote 使用 WatsonTCP 库进行通信。在我们观察到的特定活动中，二进制文件随机选择以下 C2 之一：

bestoraculo[.]com 贝斯托拉库洛[.]com

acaodegraca[.]com 阿考德格拉卡[.]com

turmadabruta[.]com 图尔马达布鲁塔[.]com

britoingresso[.]com

cinebrian[.]com

Based on our analysis, we managed to find additional C2 servers besides those initially reported:
根据我们的分析，除了最初报告的服务器之外，我们还设法找到了其他 C2 服务器：

Additional C2s 其他 C2

cloridatosys[.]com

flogoral[.]com

formitamina[.]com 福米他米那[.]com

bilatex[.]com 比拉特斯[.]com

autoglobalcar[.]com

atendesolucao[.]com

angelcallcenter[.]com 天使呼叫中心[.]com

servicoasso[.]com

dowfinanceiro[.]com 道财经[.]com

centralsolucao[.]com

gargamellojas[.]com 加尔加梅洛哈斯[.]com

carrodenatal[.]com 卡罗德纳塔尔[.]com

marvelnatal[.]com 奇迹纳塔尔[.]com

nograusistema[.]com

navegacaodura[.]com 纳韦加考杜拉[.]com

jogodequadra[.]com

carrosantigo[.]com 卡罗桑蒂戈[.]com

bermatechcliente[.]com

Figure 4: Connections from Coyote banking Trojan to different C2 servers.
图 4：从 Coyote 银行木马到不同 C2 服务器的连接。

With the different infection chain utilizing Squirrel and DLL side-loading targeting OBS, as well as a .NET Brazilian banking Trojan, we believe this is indeed the Coyote threat actor. At the time of writing this, there are no references to whether this specific banking Trojan is being sold on the underground market.
由于利用针对 OBS 的 Squirrel 和 DLL 侧载以及 .NET 巴西银行木马的不同感染链，我们认为这确实是 Coyote 威胁行为者。在撰写本文时，没有提及此特定银行木马是否在地下市场上出售。

Targets 目标

Coyote targets Brazilian financial institutions as well as Binance, a global company that operates a cryptocurrency exchange with the largest daily trading volume of cryptocurrencies. Coyote’s full target list of legitimate domains is as follows:
Coyote 的目标是巴西金融机构以及 Binance，这是一家运营加密货币交易所的全球性公司，拥有最大的加密货币日交易量。Coyote 的合法域名的完整目标列表如下：

Targets (Legitimate Domains)
目标（合法域）

Bancobrasil.com.br

Bb.com.br

internetbanking.caixa.gov.br

loginx.caixa.gov.br

banco.bradesco 布拉德斯科银行

cidadetran.bradesco

ne12.bradesconetempresa.b.br

binance.com

mercadobitcoin.com.br

bitcointrade.com.br

foxbit.com.br

blockchain.com

accounts.binance.com

pf.santandernet.com.br

pj.santandernetibe.com.br

itau.com.br

meu.original.com.br

empresas.origina

ibpj.original.com.br

banrisul.com.br

internetbanking.banpara.b.br

ib.banpara.b.br

www2s.bancoamazonia.com.br

ecode.daycoval.com.br

mercantildobrasi

stone.com.br

bancopan.com.br

unicred.com.br

safra.com.br

safraempresas.com.br

ib.brde.com.br

banese.com.br

bancobmg.com.br

brbbanknet.brb.com.br

internetbanking.confesol.com.br

tribanco.com.br

credisisbank.com.br

credisan.com.br

bancobs2.com.br

bancofibra.com.br

uniprimebr.com.br

uniprime.com.br

bancotopazio.com.br

btgmais.com

citidirect.com

banestes.b.br

zeitbank.com.br

cora.com.br

sofisa.com.br

sofisadireto.com.br

www.banestes.com.br

banestes.com.br

wwws.uniprimedobrasil.com.br

www.rendimento.com.br

rendimento.com.br

contaonline.viacredi.coop.br

sicredi.com.br

nel.bnb.gov.br

mercadopago.com.br

Conclusion 结论

The emergence of a .NET banking Trojan targeting the LATAM region with a primary focus on Brazil, underscores the rapid evolution of the cybersecurity threat landscape. This sophisticated malware employs unconventional methods to infiltrate targeted systems via phishing with malicious domains, with the goal of compromising large financial institutions.
以拉丁美洲地区为主要关注巴西的 .NET 银行木马的出现突显了网络安全威胁形势的快速演变。这种复杂的恶意软件采用非常规方法，通过恶意域的网络钓鱼渗透到目标系统中，目的是破坏大型金融机构。

The deceptive tactic of disguising the initial loader as a legitimate Squirrel update packager highlights the need for heightened vigilance and proactive security measures by defenders. As organizations fortify their cybersecurity defenses, it is crucial to not only invest in more advanced protective technologies, but to also prioritize user education. By enhancing employee awareness and understanding of threats such as these, we can significantly improve defensive evasion techniques and mitigate some of the risks.
将初始加载程序伪装成合法的 Squirrel 更新打包程序的欺骗性策略凸显了防御者需要提高警惕和采取主动安全措施。随着组织加强其网络安全防御，不仅要投资于更先进的保护技术，还要优先考虑用户教育，这一点至关重要。通过提高员工对此类威胁的认识和理解，我们可以显着改进防御性规避技术并降低一些风险。

Combating the Coyote banking Trojan threat head-on requires a multifaceted approach that integrates modern-day cybersecurity solutions with comprehensive user training. By staying ahead of emerging threats and fostering a culture of cyber resilience, we can safeguard our critical systems and protect the integrity of financial institutions in the LATAM region.
正面对抗 Coyote 银行木马威胁需要一种多方面的方法，将现代网络安全解决方案与全面的用户培训相结合。通过领先于新出现的威胁并培养网络弹性文化，我们可以保护我们的关键系统并保护拉丁美洲地区金融机构的完整性。

MITRE ATT&CK® Matrix MITRE ATT&CK® 矩阵

Tactic 策略	Technique ID 技术 ID	Technique Name 技术名称	Details 详
Execution 执行	T1059.007	Command and Scripting Interpreter: JavaScript 命令和脚本解释器：JavaScript	Upon Squirrel execution, a NodeJS application runs and executes obfuscated JavaScript code. 在 Squirrel 执行时，NodeJS 应用程序将运行并执行混淆的 JavaScript 代码。
Execution 执行	T1204.002	User Execution: Malicious File 用户执行：恶意文件	Initial loader is disguised as a Squirrel updater. 初始加载程序伪装成 Squirrel 更新程序。
Persistence 坚持	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 启动或登录自动启动执行：注册表运行项/启动文件夹	Registry value is added into HKCU\Environment\UserInitMprLogonScript key (prior to checking its existence). The value added in the case we observed: “obs-browser-page.exe” is to establish persistence. 注册表值将添加到 HKCU\Environment\UserInitMprLogonScript 项中（在检查其是否存在之前）。在我们观察到的案例中，“obs-browser-page.exe”的附加值是建立持久性。
Privilege Escalation 权限提升	T1574.002	Hijack Execution Flow: DLL Side-Loading 劫持执行流：DLL 旁加载	The Trojan is loaded through DLL side-loading of a dependency of Chrome and OBS Studio executables (libcef.dll). 该木马是通过 Chrome 和 OBS Studio 可执行文件（libcef.dll）的依赖项的 DLL 旁加载加载的。
Defense Evasion 防御规避	T1218	System Binary Proxy Execution 系统二进制代理执行	Usage of Squirrel to create installation and updates packages hiding the infection vector in an updater. 使用 Squirrel 创建安装和更新包，将感染媒介隐藏在更新程序中。
	T1027	Obfuscated Files or Information 混淆的文件或信息	Trojan utilizes string obfuscation with AES encryption 特洛伊木马利用 AES 加密的字符串混淆 NodeJS application runs and executes obfuscated JavaScript code NodeJS 应用程序运行并执行混淆的 JavaScript 代码
	T1620	Reflective Code Loading 反射代码加载	NIM is used to load the final stage, which unpacks the .NET executable and executes it in memory using the CLR. NIM 用于加载最后阶段，该阶段解压缩 .NET 可执行文件并使用 CLR 在内存中执行它。
	T11036.001	Masquerading: Match Legitimate Name or Location 伪装：匹配合法名称或位置	Coyote hides its initial loader by presenting it as an update packager. Coyote 通过将其显示为更新打包程序来隐藏其初始加载程序。
	T1553.002	Code Signing 代码签名	Usage of signed application with legitimate library. 使用合法库的签名应用程序。
	T1480.001	Execution Guardrails 执行护栏	Once the malware verifies that the connection is indeed with the attacker, it proceeds to send the information collected from the infected machine and banking applications to the server. 一旦恶意软件验证确实与攻击者建立了连接，它就会继续将从受感染的机器和银行应用程序收集的信息发送到服务器。
Discovery 发现	T1082	System Information Discovery 系统信息发现	Information sent to C2 includes: 发送给 C2 的信息包括： Machine Name 计算机名称 GUID Banking application/s being used 正在使用的银行应用程序
Discovery 发现	T1010	Application Windows Discovery 应用程序 Windows Discovery	Trojan monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed. 特洛伊木马会监控受害者系统上所有打开的应用程序，并等待访问特定的银行应用程序或网站。
Collection 收集	T1056.001	Input Capture: Keylogging 输入捕获：键盘记录	Trojan has the capability to conduct keylogging. 特洛伊木马具有执行键盘记录的功能。
Collection 收集	T1113	Screen Capture 屏幕截图	Trojan has the capability to take screenshots. 特洛伊木马具有截取屏幕截图的功能。
Command and Control 命令与控制	T1573	Encrypted Channel 加密通道	Trojan establishes communication with its C2 server using SSL channels with a mutual authentication scheme. 特洛伊木马使用具有相互身份验证方案的 SSL 通道与其 C2 服务器建立通信。
Command and Control 命令与控制	T1205	Traffic Signaling 交通信号	Attacker sends a response packet that contains specific actions. To process these actions, the attacker transmits a string with a random delimiter. Each position of the string is then converted to a list, with the first entry representing the command type. 攻击者发送包含特定操作的响应数据包。为了处理这些操作，攻击者会传输带有随机分隔符的字符串。然后，字符串的每个位置都转换为一个列表，第一个条目表示命令类型。
Impact 冲击	T1529	System Shutdown/Reboot 系统关机/重启	Trojan has capabilities to shut down the compromised system. 特洛伊木马能够关闭受感染的系统。

Indicators of Compromise (IoCs):
入侵指标（IoC）：

SHA256

File Type 文件类型

Details 详

096d7765f278bb0de33fbfa0a15413a2432060d09c99f15c6ca900a6a8a46365

9c6fc9e0854eaf5a0720caab1646f48c7992f6f4051438004598af89102a49eb

e0b65087cc83b899d53c153fcfd1420d15e369c3d196325396b50cb75681c27d

485c8bfae3e5c150012e1d630f5d9ae37b786d4b750a9a0adf2b174b7ab85c65

16cc13258a3e63be247c9adf18def0369bb72197bdb3668142bc50a6656047af

2bd6bbe48d0328e4011ce3053e616664a4eb2bf43bd5762cb03be297f786b068

287b39f40ed541585c968b6529c44e9ccdd899bca0b88457907d994c2b5013f4

341a1945f606bcf4c25bce9b850dbddc5125376156cb7f8d14c6ce6bc4b396c3

9160ca25889427b2c2da4d4b14c4a93a707efc2ce07a49d5b8ab1a7f9be8ab55

2d8b10e35c2c2d9675ec693558629450eeee2c8e38f491d38c42de96bddf317a

112edf53d4c560ab71f1b20856ec4d6096e0ea42b0271526b3415c3563300f06

3cbc282c6a51edff4e762267332e1ff2a503f7ba8a7b2a10c9ff404a7bda913b

aedffb9cf780bb52c68586ceb238fcaf90253524f06a4a338edc6437409e51c5

2b428df6f76d36ceeebfd37df65ab7893cb6f526afeb9e4494829628f0b9cae8

ae6676ad5b8ba386e88ae045eacc05225a657360963844cdf18db6a45318ea89

ce07ef596772e9cfa6f41000f27244f6f750527639a26c6be0b73033a8e41883

c0833babb2982e36ac7646f7539f6a235a42bcf5375bc080d3ac9d031dc3b903

d44f4db6680d178437e9cfba010ac049f80e5eddf43b3977da819119bb6ca06d

504a5902f20d0a7e3968251849cd88acd31e7fc895fc18d5c82076c5388df5bd

8e614368f99f955c75752df597f97de1dd51b4f0dfeeadc76e1badcc7ca57fc2

3cc58b46d0babd561508d7b67c609e0e9be9a35db9425f1e8a29512a5229665a

5656501522adfe1b08f58cccc1e187cbb7099ef1193a62edd5dfe0d32da4cd7a

fb8353e718397dcabd11d9bd8a500ffd54e2a57ac4722a34241757c60ba2bdff

ae65738fa81be0b2cfe2f63209db9ed5b928b4b5a1a703ce2a89699a6f192f07

5b3421beb6aaf3fd16831e1456475acac4f8e7c863869fb4d5dc9b1ae0576ef3

6b7a014d0674fe5f145aa2c5dc7674d42e5306d82c3fe7ab0235dcbfd559725f

d96c3e8dc899948bf92c377bb4872b19b5983b6eb2d59f00019345293601843c

2a54b7f1327398ccd1c538759201e8699dfad7c53e8e095ea782d862ec48cb92

90ffb18c9d05bf6a61d90c57f299b70702c0e65dac90349b06d5e6833d6d2612

4869fcfda9be32f3cdd48c21bda07aefde496c5f06f235f33ce948169e9744e5

3edcf6a6b6cb254f72f0f2607fa4bb2ecb604475b448c9487e89fc76eb8f896e

a0d2c87f4ed6522fdcd8c8d234dca9c7e8831de5faa9445275405ddd0a9104cc

6da5f450f3124e30e8091fda443cb416d29eab4e166a777263e004758acf2e69

10af5c8950b8802851afe96b423d20408b618f80ab54c1a5aef0f1a04c36f331

f6ed73bed9e6b992dbfdee64ff8c9dfde5e3f12c3ec6bbb4e2367fbd2ce75b6f

1ba49976a6e596abb68e2f7ca37407930330a4bf0bd25207057c5a60cb3a4107

798fb8de9bb0434ee0b172793f5b68eb593054538cf5ec96e71a5a0759f6bcc5

c057145da9481a4fff50e69b7e746c19cc95e2d33331539b6b62077169bc4b42
编号：c057145da9481a4fff50e69b7e746c19cc95e2d33331539b6b62077169bc4b42

fcb8f32502147dbf8ef44ad99a41d9eaf639bb3d22c4de92a3022f501c9d8cb6

0dea05062d6527ab03f80de87488d278dd333167cdabdf5ef28da760bf252863

3a14ab878697453832306a836e67915d7475481307c65268ceb1f900ff4ec25a

ZIP

Malware Delivery 恶意软件传递

eb615c093e9b52ed409f426764857e6e42aa85e02adef59d6f1457dcbb90bb40

1bed3755276abd9b54db13882fcf29c543ebf604be3b7fcf060cbd6d68bcd23f

4806617bbc8187a89d5ed73cb818853e306d3699f87bd09940b0ecffdc96091d

1d59bc782e532780da0364b14a1b474a8cb8a5af50c8124159bf5d943bd050f7

DLL

NIM Loader + Coyote banking Trojan
NIM Loader + Coyote 银行木马

IP/Domain IP/域名

Details 详

cloridatosys[.]com

flogoral[.]com

formitamina[.]com 福米他米那[.]com

bilatex[.]com 比拉特斯[.]com

autoglobalcar[.]com

atendesolucao[.]com

angelcallcenter[.]com 天使呼叫中心[.]com

servicoasso[.]com

dowfinanceiro[.]com 道财经[.]com

centralsolucao[.]com

gargamellojas[.]com 加尔加梅洛哈斯[.]com

carrodenatal[.]com 卡罗德纳塔尔[.]com

marvelnatal[.]com 奇迹纳塔尔[.]com

nograusistema[.]com

navegacaodura[.]com 纳韦加考杜拉[.]com

jogodequadra[.]com

carrosantigo[.]com 卡罗桑蒂戈[.]com

bermatechcliente[.]com

Recently active malicious Coyote C2’s
最近活跃的恶意 Coyote C2

Countermeasures 对策

The good news is that BlackBerry customers are protected against the Coyote IoCs listed in this blog post by endpoint protection solutions such as CylanceENDPOINT™. CylanceENDPOINT leverages advanced AI to detect threats before they cause damage, minimizing business disruptions and the costs incurred during a ransomware attack.
好消息是，BlackBerry 客户可以通过端点保护解决方案（如 CylanceENDPOINT）™免受本博文中列出的 Coyote IoC 的攻击。CylanceENDPOINT 利用先进的 AI 在威胁造成损害之前检测威胁，从而最大限度地减少业务中断和勒索软件攻击期间产生的成本。

YARA Rule 雅拉规则

import “pe” 导入“PE”

rule coyote_nimloader { 规则 coyote_nimloader {
    meta: 元：
        author = “Blackberry Threat Research and Intelligence”
作者 = “Blackberry Threat Research and Intelligence”
        hash = “110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79”
哈希 = “110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79”
        hash = “1bed3755276abd9b54db13882fcf29c543ebf604be3b7fcf060cbd6d68bcd23f”
哈希 = “1bed3755276abd9b54db13882fcf29c543ebf604be3b7fcf060cbd6d68bcd23f”
    strings: 字符串：
        $nim1 = “strformat.nim” fullword ascii
$nim 1 = “strformat.nim” 全字 ASCII
        $nim2 = “fatal.nim” fullword ascii
$nim 2 = “fatal.nim” 全字 ASCII
        $nim3 = “io.nim” fullword ascii
$nim 3 = “io.nim” 全字 ASCII
        $export_name = “chrome_elf.dll” fullword ascii
$export_name = “chrome_elf.dll” 全字 ASCII
    condition: 条件：
        pe.characteristics & pe.DLL and pe.number_of_sections > 8 and $export_name and (2 of ($nim*))
pe.characteristics & pe.DLL 和 pe.number_of_sections > 8 和 $export_name 和（2 of （$nim*））
}

Further Reading: 延伸阅读：

原文始发于BlackBerry Blog：Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions

版权声明：admin 发表于 2024年7月13日下午5:17。
转载请注明：Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions | CTF导航

《linux x86 缓冲区溢出》level3：简单的缓冲区溢出，通过ROP绕过DEP和ASLR防护

admin

AutoCAD木马猖獗，安天智甲全面防护

admin

435

以发票之名，盘踞境外黑产组织发起的钓鱼活动分析

admin

495

Turla组织最新Tiny BackDoor后门通信模型剖析及攻击场景复现

admin

G.O.S.S.I.P 论文推荐 2022-11-24 HTFuzz

admin

782

黑客伪装成客户针对金融、证券业投毒窃取信息危害严重

admin

257

Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions

Summary 总结

Affected Operating Systems
受影响的操作系统

Technical Analysis 技术分析

Analysis 分析

Communication 通信

Targets 目标

Conclusion 结论

MITRE ATT&CK® Matrix MITRE ATT&CK® 矩阵

Indicators of Compromise (IoCs):
入侵指标（IoC）：

Countermeasures 对策

YARA Rule 雅拉规则

UAC-0184 Abuses Python in DLL Sideloading for XWORM Distribution

How2模拟执行一个不同架构下的elf文件

相关文章

相关文章

Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions

Summary 总结

Affected Operating Systems 受影响的操作系统

Technical Analysis 技术分析

Analysis 分析

Communication 通信

Targets 目标

Conclusion 结论

MITRE ATT&CK® Matrix MITRE ATT&CK® 矩阵

Indicators of Compromise (IoCs): 入侵指标 （IoC）：

Countermeasures 对策

YARA Rule 雅拉规则

UAC-0184 Abuses Python in DLL Sideloading for XWORM Distribution

How2模拟执行一个不同架构下的elf文件

相关文章

广告位

相关文章

Affected Operating Systems
受影响的操作系统

Indicators of Compromise (IoCs):
入侵指标（IoC）：