A new version of the Coyote banking trojan is abusing Microsoft’s UI Automation (UIA) framework—a Windows accessibility tool—to detect and target banking and cryptocurrency websites for credential theft. The malware scans browser UI elements, such as tabs and address bars, to identify if victims visit any of 75 predefined financial services, including major Brazilian banks and crypto exchanges like Binance.
Initially discovered in 2024, Coyote previously relied on keylogging and phishing overlays but now leverages UIA for stealthier reconnaissance, bypassing traditional detection methods. If the malware fails to recognize a site by its window title, it analyzes the browser’s UI hierarchy to extract URLs and cross-checks them against its target list.
While UIA abuse in this case is limited to reconnaissance, researchers warn it could also be weaponized to steal entered credentials. Microsoft has yet to comment on potential safeguards, though similar accessibility abuses on Android have prompted stricter controls in the past.
Read more...