Ethical Hacking News
Coyote, a banking trojan, exploits Windows UIA framework to target Brazilian users and steal sensitive information from their devices. In a worrying development, the malware has added UIA abuse to its toolkit in recent months.
The Coyote banking trojan exploits Microsoft's UI Automation framework to target Brazilian users and steal sensitive information. The malware uses Windows accessibility features to identify targeted services and extract web addresses from browser tabs or address bars. The list of targeted services includes prominent financial institutions such as Banco do Brasil, CaixaBank, and others. Microsoft's UIA framework is designed to allow assistive technologies to interact with user interface elements, but it also invites malicious actors who seek to exploit vulnerabilities in the system.
Malicious actors have found a novel way to obtain sensitive information from unsuspecting users, exploiting a vulnerability in Microsoft's UI Automation framework. The malware in question is known as Coyote, a banking trojan that has been around since February 2024 but has recently evolved its tactics to include the use of Windows accessibility features.
The UI Automation (UIA) framework is designed to allow assistive technologies to interact with and control user interface elements in applications. This includes features such as screen readers, keyboard navigation, and more. While these tools are invaluable for individuals with disabilities, they also provide a potential entry point for malicious actors seeking to steal sensitive information.
In recent months, Akamai researchers have warned about the possibility of malware abusing the UIA framework to steal credentials. The threat was deemed too great to ignore, as it evades traditional endpoint detection and response (EDR) protections. However, the threat is now a reality, with attacks leveraging this technique in the wild since February 2025.
The Coyote banking trojan has been identified as the primary malware responsible for these exploits. First documented in February 2024, Coyote utilizes tactics such as keylogging and phishing overlays to steal credentials from its intended targets – primarily Brazilian users of 75 different banking and cryptocurrency exchange apps.
In its most recent iteration, however, Coyote has added a new layer of sophistication by utilizing the UIA framework to identify which banking and cryptocurrency services are accessed on the device. This allows the malware to extract web addresses from browser tabs or address bars, compare them against hardcoded lists of targeted services, and even parse through UI child elements in an attempt to identify additional browser tabs or address bars.
The list of targeted services includes several prominent financial institutions such as Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Original bank, Sicredi, Banco do Nordeste, Expanse apps, and Cryptocurrency (Binance, Electrum, Bitcoin, Foxbit, and others).
Akamai researchers have shared a proof-of-concept demonstration of how the UIA framework can be abused to steal inputted credentials for these sites. The implications of this find are significant, as it highlights the potential risks associated with using assistive technologies.
Microsoft's UIA is designed to be powerful and allow individuals with disabilities to fully utilize their devices. However, this power also invites malicious actors who seek to exploit vulnerabilities in the system. In Android, similar issues have been observed with malware abusing Accessibility Services extensively.
In response to these findings, BleepingComputer has reached out to Microsoft to inquire about potential safeguards that could be implemented to prevent the abuse of UIA on Windows devices. As of now, a comment from Microsoft regarding this matter was not immediately available.
The use of UIA by malicious actors serves as a stark reminder of the ever-evolving nature of cybersecurity threats. These threats can emerge in unexpected places and often rely on exploiting weaknesses that have been present for some time. It is up to users and developers alike to remain vigilant and address these issues before they become widespread problems.
In conclusion, the exploitation of Microsoft's UI Automation framework by Coyote malware highlights a new frontier in cybersecurity threats. The use of Windows accessibility features to steal credentials serves as a stark reminder that even seemingly innocuous tools can be turned into powerful tools for malicious actors.
Coyote, a banking trojan, exploits Windows UIA framework to target Brazilian users and steal sensitive information from their devices. In a worrying development, the malware has added UIA abuse to its toolkit in recent months.
Related Information:
https://www.ethicalhackingnews.com/articles/Coyote-Malware-Exploits-Windows-Accessibility-Framework-to-Steal-Banking-and-Cryptocurrency-Credentials-ehn.shtml
https://www.bleepingcomputer.com/news/security/coyote-malware-abuses-windows-accessibility-framework-for-data-theft/
Published: Tue Jul 22 14:52:29 2025 by llama3.2 3B Q4_K_M
