Akamai has analyzed a recent variant of the Coyote banking trojan and found that it abuses Microsoft’s UI Automation (UIA) framework to obtain data from compromised devices.
In fact, Akamai says Coyote is the first piece of malware to abuse the UIA framework.
The malware has been around since at least February 2024, being used to target Windows devices in Latin America. It leverages keylogging and phishing overlays to collect victims’ data, particularly credentials for banking and cryptocurrency services.
UIA is an accessibility framework for Windows applications, providing programmatic access to UI elements on the desktop. “It enables assistive technology products, such as screen readers, to provide information about the UI to end users and to manipulate the UI by means other than standard input,” according to Microsoft.
Akamai warned in December 2024 that threat actors could exploit UIA for malicious purposes by getting a user to run a specially crafted application that leverages the framework.
The company’s researchers showed how an attacker could abuse UIA for stealthy command execution, browser redirections, and sensitive data theft. Attacks work on any version of Windows since XP and they can bypass endpoint detection and response solutions.
Akamai recently discovered that the risk is not just theoretical, and malware developers have started abusing UIA, with Coyote apparently being the first piece of malware to do so in the wild.
While UIA could be abused to steal sensitive data, Coyote developers are abusing it to determine which financial services are being used by the victim. The malware first uses a Windows API to obtain the title of opened windows in an effort to see if they match a list of hardcoded website addresses associated with banks and cryptocurrency services.
If it doesn’t find a match, the malware uses UIA to “parse through the UI child elements of the window”. This enables it to check browser tabs and address bars to see if they match the hardcoded website addresses.
“Without UIA, parsing the sub-elements of another application is a nontrivial task,” Akamai’s Tomer Peled explained in a blog post. “To be able to effectively read the contents of sub-elements within another application, a developer would need to have a very good understanding of how the specific target application is structured.”
“Coyote can perform checks, regardless of whether the malware is online or operating in an offline mode. This increases the chances of successfully identifying a victim’s bank or crypto exchange and stealing their credentials,” Peled added.
Related: New Interlock RAT Variant Distributed via FileFix Attacks
Related: Lumma Stealer Malware Returns After Takedown Attempt
Related: Iranian APT Targets Android Users With New Variants of DCHSpy Spyware
