The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework calledUI Automation(UIA) to harvest sensitive information. "The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes' web addresses and cryptocurrency exchanges," Akamai security researcher Tomer Peled said in an analysis. Coyote, first revealed by Kaspersky in 2024, is known for targeting Brazilian users. It comes with capabilities to log keystrokes, capture screenshots, and serve overlays on top of login pages associated with financial enterprises. Part of the Microsoft .NET Framework, UIA is a legitimate feature offered by Microsoft to allow screen readers and other assistive technology products to programmatically access user interface (UI) elements on a desktop. That UIA can be a potential pathway for abuse, including data theft, was previously demonstrated as a proof-of-concept (PoC) by Akamai in December 2024, with the web infrastructure company noting that it could be used to steal credentials or execute code. In some ways, Coyote's latest modus operandi mirrors the various Android banking trojans that have been spotted in the wild, which often weaponize the operating system's accessibility services to obtain valuable data. Akamai's analysis found that the malware invokes the GetForegroundWindow() Windows API in order to extract the active window's title and compare it…Read More