Coyote Banking Trojan Abuses The Squirrel Installer
The Coyote banking Trojan targets users of over 60 banking institutions primarily in Brazil. It spreads via the Squirrel installer employing NodeJS and Nim to execute its infection. After installation it runs a NodeJS application compiled with Electron which executes obfuscated JavaScript code to copy executables to a designated folder and launch them. Coyote uses DLL sideloading for loading and persists through Windows logon scripts It lacks code obfuscation but employs AES encryption for string obfuscation. The Trojans objective is typical of banking malware monitoring applications for banking activity capturing keystrokes and screenshots terminating processes and potentially shutting down infected devices.