Banking trojan Coyote now abuses Microsoft’s UI Automation frameworkThe framework allows it to spot when a person opens a banking siteIt can cross-reference the data in the browser with a hardcoded list of banking and crypto appsCoyote, a known banking trojan malware capable of attacking dozens of crypto and banking apps, has been upgraded to identify crypto exchanges and bank accounts opened in the web browser, experts have warned.Cybersecurity researchers Akamai, who have been warning about Coyote since December 2024, noted how in previous iterations, Coyote would either log keys or present phishing overlays, in order to exfiltrate login information for 75 banking and cryptocurrency exchange apps. However, if a user would open these accounts in the browser, Coyote wouldn’t be triggered.However this new variant abuses Microsoft’s UI Automation framework to identify which banking and crypto exchange sites the victim opened in their browser, too.Get Keeper's Personal Password Manager plan for just $1.67/monthKeeper is a password manager with top-notch security. It's fast, full-featured, and offers a robust web interface. The Personal Plan gets you unlimited password storage across all your devices, auto-login & autofill to save time, secure password sharing with trusted contacts, biometric login & 2FA for added security.View DealBrazilians in the crosshairsMicrosoft's UI Automation (UIA) framework is an accessibility system that helps software interact with Windows apps.It’s especially useful for things like screen readers and automated testing, as it lets programs “see” buttons, menus, and other parts of an app, and even click or read them.According to Akamai, Coyote can now use UIA to read the web address found in the browser’s tabs or address bar, and then compare the results with a hardcoded list of 75 targeted services. If it finds a match, it will use UIA to parse through the UI child elements, trying to find which tabs or address bars there are."The content of these UI elements will then be cross-referenced with the same list of addresses from the first comparison,” they explained.Akamai says that Coyote primarily targets Brazilian users. The banks it usually goes after are Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Original bank, Sicredi, Banco do Nordeste, Expanse apps, and different crypto exchanges (Binance, Electrum, Bitcoin, Foxbit, and more).The researchers first warned about UIA being abused in credential theft late last year, and now their predictions seem to have come true, since Coyote is apparently the first one to use this tactic in the wild.Via BleepingComputerYou might also likeHow to defend against AI-powered mobile banking trojan attacksTake a look at our guide to the best authenticator appWe've rounded up the best password managers