Finance & Banking
,
Industry Specific
,
Security Operations
Brazil-Targeting Malware Exploits Windows UIA to Evade Detection
A banking Trojan long confined to Brazil has become the first known malware to exploit Microsoft’s UI Automation framework to extract credentials, signaling a new tactic that may evade conventional detection.
See Also: AI, Cloud, and Cyber Threats: A Financial Sector Survival Guide
The latest variant of the Coyote banking Trojan has since February used the accessibility tool to extract login data from users of over 75 Brazilian banks and cryptocurrency exchanges, said researchers at Akamai.
The UIA framework, built to help screen readers and testing tools interact with interface elements, allows applications to inspect and manipulate other programs’ UI components such as buttons, text boxes and menus via automation.
Coyote has been circulating in Brazil for at least over a year, primarily targeting Windows systems. Researchers at Fortinet earlier this year outlined how the malware spreads through phishing campaigns, where a zip file contains a malicious .lk shortcut. Opening the file triggers a PowerShell script that downloads additional payloads, including Coyote itself.
The malware collects basic system information such as computer name, username and device model, and sends it to a command-and-control server. It inspects the title of the active window on the victim’s screen, and if that matches a known financial service from its target list, Coyote intercepts credentials. But if the title doesn’t match, the malware switches tactics.
That’s where UI Automation comes in. Using the framework, Coyote drills deeper into the application window, parsing browser elements such as open tabs and address bars to locate potentially relevant banking or crypto domains. This kind of inspection can be done with JavaScript injections or browser hooks, but those methods often break when sites update their UI or when browser versions change. “UIA provides several things for an attacker, including a simple solution for malware developers to parse sub-elements of another application,” the report said.
The approach allows Coyote to work across multiple browser types without the need for custom code per site. UIA-based inspection can identify financial login pages in a way that’s resilient to cosmetic site changes, an aspect that has long limited traditional browser-injection malware.
Once it finds a match, Coyote can continue monitoring inputs or trigger overlays to collect credentials. Akamai’s researchers say the malware doesn’t need to be online to function. It runs two persistent loops – one for connected operation, another for offline mode – that continue probing the system for financial activity. If it fails to connect to its C2 infrastructure, it retries and resumes scanning. In both modes, it collects user and system data that could later be used for phishing or fraud.
The use of UI Automation for this purpose was first flagged by Akamai in December as a theoretical risk. At the time, it pointed to UIA’s potential as a stealthy channel for malware authors to inspect interfaces, control application behavior and extract information without triggering traditional endpoint defenses. The confirmation of Coyote’s UIA-based variant turns that theoretical risk into a live threat.
There are indicators that defenders can look for: the presence of UIAutomationCore.dll loaded into unexpected processes or inter-process communication over pipes prefixed with UIA_PIPE_ could suggest misuse of the framework. But detection a challenge because the malware does not inject code or exploit vulnerabilities in the browser and simply uses legitimate API calls.
Akamai’s findings point to a growing trend of attackers using legitimate system features, particularly those designed for accessibility or developer testing, to bypass traditional security layers. These living-off-the-land techniques have been used before in PowerShell abuse and WMI-based persistence.