Dangerous new malware exploits Windows accessibility tools to hijack banking accounts

Banking Trojan Koyot now misuses Microsoft’s UI automation framework
Framework allows it to spot it when a person opens a banking site
It can cross-refer data in the browser with a hardcode list of banking and crypto apps

Coyot, a known banking trojan malware, which is capable of attacking dozens of crypto and banking apps, is upgraded to identify crypto exchanges and bank accounts opened in web browser, warning by experts.

Cyber security researchers, who have been warning about coeot since December 2024, said that in previous repetitions, the coeot will either log in log or current fishing overlays, so that login information for 75 banking and cryptocurrency exchange apps can be abolished. However, if a user opens these accounts in the browser, the coeot will not be triggered.

However, this new variant does Microsoft’s UI automation framework to identify which banking and crypto exchange sites have also been opened in their browser.

Brazilian in Crosshair

Microsoft’s UI Automation (UIA) framework is an accessibility system that helps the software interact with the Windows apps.

It is particularly useful for things such as screen readers and automated testing, as it allows the program to see the “button, menu and other parts of the app, and even click or read them.

According to Akamai, the coyot can now use UIA to read the web address found in the browser tab or address bar, and then compare the results with a hardcoded list of 75 targeted services. If it finds a match, it will use the UIA to parse through UI child elements, trying to find out which tabs or address bar are.

“The contents of these UI elements will then be cross-referred with the same list of addresses from the first comparison,” they explained.

Akamai states that the coeot mainly targets users from Brazil. Banks are usually followed by banks do Brasil, Caxbank, Banko Bradco, Santhender, original bank, Sicri, Banko Do Nordste, Exchange apps, and separate Crypto Exchange (Binense, Electrum, Bitcoin, Foxbit, and more).

Researchers had earlier warned the UIA that credentials were abused at the end of last year, and now their predictions have come true, as the coyot is clearly the first to use this strategy in the wild.

Through BlappingCopper

What's Hot

Stabilize grid-scale battery power in Scotland

James Gun closed rumors on ‘The Batman: Part II’ and this highly anticipated DC film

Crypto Exchange Bulish wants to increase New York share sales by $ 629m

Finally, I use an ultraPortable Windows laptop in office (even if it is for gamers)

CISA Open-SOS Thorium Platform for Malware, Forensic Analysis

Microsoft’s Windows Recall is reportedly still capturing passwords and social security numbers even after its release

Microsoft’s new text editor is a VIM and Nano option

The best luxury car for buyers for the first time in 2025

Massives Datenleck in Cloud-Spichenn | CSO online

Most Popular

10,000 steps or Japanese walk? We ask experts if you should walk ahead or fast

FIFA Club World Cup Soccer: Stream Palmirus vs. Porto lives from anywhere

What do chatbott is careful about punctuation? I tested it with chat, Gemini and Cloud

Our Picks