Analyzing the Link Between Two Evolving Brazilian Banking Trojans

SUMMARY :

This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users and banks. The attack chain involves obfuscated PowerShell commands, downloading additional payloads from command and control servers. The malware employs anti-analysis techniques and targets specific browsers. Persistence is achieved through a batch file in the startup folder. The report provides technical details, including code samples and infection chain analysis, as well as indicators of compromise for the identified malware campaign.

OPENCTI LABELS :

coyote,multi-stage attack,whatsapp,.net,powershell,brazil,banking trojan,obfuscation,maverick


AI COMMENTARY :

1. In this report, we analyze the evolving relationship between two Brazilian banking trojans known as Maverick and Coyote. Both strains have gained notoriety for their sophisticated multi-stage attack chains, leveraging WhatsApp as a primary distribution channel to deliver malicious LNK files. This initial stage is deceptively simple: a user receives what appears to be an innocuous document link over WhatsApp. Upon execution, that link launches an obfuscated PowerShell script that establishes contact with a remote command and control server to download the next payload.

2. The heart of the attack chain relies on a .NET-based implant that runs silently in the background. Once the PowerShell script retrieves the secondary payload, it spawns a .NET executable that hooks into popular Brazilian banking websites by injecting malicious JavaScript into the browser’s session. These scripts intercept user credentials as they are entered into legitimate banking portals, then relay the stolen data back to the attacker’s infrastructure.

3. Obfuscation is a key defensive measure employed by both Maverick and Coyote. The PowerShell commands are Base64-encoded and often split into multiple segments to evade signature-based detection. Sample snippet: powershell -NoProfile -WindowStyle Hidden -EncodedCommand aQBlAHYAZQBsAC4AZQAxAC4AZQB4AGU=, which decodes into a small loader that then downloads further binaries. This technique complicates analysis efforts and slows down incident response teams.

4. Anti-analysis measures extend beyond simple obfuscation. The malware checks for virtualized environments and sandboxes by querying registry keys associated with popular virtualization software. When such an environment is detected, the trojan halts execution, preventing researchers from dissecting its behavior. Memory-resident modules also employ API unhooking techniques to avoid hooking by endpoint detection and response solutions.

5. Both trojans specifically target widely used browsers in Brazil, including Chrome, Firefox and the local branch of Internet Explorer. Through injection routines, they manipulate form fields on banking portals to capture credentials in real time. The attackers have compiled a list of targeted bank URLs and adapt their code dynamically to account for changes in the login page structure, ensuring continued success as websites evolve.

6. Persistence is achieved via a batch file placed in the Windows startup folder. This batch file repeatedly launches the primary payload with elevated privileges by abusing scheduled tasks. By storing the batch script in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, the attackers secure execution each time the user logs in, even if the main executable is removed or quarantined by antivirus solutions.

7. A detailed infection chain analysis reveals the following sequence: WhatsApp message with LNK payload → execution of obfuscated PowerShell → download of .NET loader → injection into browser process → credential harvesting → data exfiltration to C2 servers. Along the way, the malware leverages HTTPS tunneling to blend in with legitimate traffic and avoid network detection.

8. Code samples included in the full technical annex demonstrate the obfuscated URL decoding routine and the C2 beacon mechanism. Analysts will find deobfuscated PowerShell scripts and C2 domain indicators in the appendix, enabling rapid integration of detection rules into SIEM and endpoint protection platforms.

9. Indicators of Compromise (IOCs) for this campaign include specific file hashes, domain names, and IP addresses. Notable examples are the SHA-256 hash af2b3c9e4d5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1, the C2 domain banksecureupdate[.]com, and the IP address 192.0.2.45. These IOCs should be added to blocklists and monitoring rules immediately.

10. In conclusion, the convergence of Maverick and Coyote’s techniques underscores the adaptive nature of modern banking trojans. By studying their shared methodologies—WhatsApp delivery, multi-stage PowerShell loaders, .NET persistence modules, and targeted browser injections—security teams can develop more resilient defenses. Continuous monitoring for the identified IOCs and rapid analysis of new samples will be essential to staying ahead of these evolving threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Analyzing the Link Between Two Evolving Brazilian Banking Trojans