Brazilian criminals created and exported a virus that diverts transfers in more than 60 banks. Virtual fraud went unnoticed until the beginning of this year, according to the Kaspersky antivirus research team.
The invading program (malware), called Coyote, is distributed via email and simulates a Windows update package, called Squirrel, triggered when the file sent in the message is opened.
The attack targets personal computers used in companies and public offices. It’s what technicians call a banking Trojan — in reference to the Trojan horse used by the Greeks to overcome enemy walls.
The virus uses a phased installation strategy that makes it difficult for antiviruses to detect. Additionally, it uses the nim programming language, first seen in a trojan. “This all helps to break through the victim’s system defenses,” says the director of Kaspersky’s Latin America research team, Fabio Assolini.
The nim language seen in Coyote had already been registered in ransomware and is capable of operating on different devices with different operating systems — Windows, iOS, Android or Linux, for example. This is what experts call multimodal.
The developers implemented unprecedented techniques in creating Coyote, which made this virus a relevant discovery at an international level, according to Kaspersky.
Once installed, the virus monitors the victim’s activity on banking websites. The program is capable of capturing the letters typed by the user, moving the mouse and configuring a fake page to steal data.
After stealing banking information, criminals can carry out financial operations and embezzle their targets’ accounts or make credit card purchases.
To carry out the fraud without the computer owner noticing, Coyote blocks the victim’s screen and issues a fake Windows update announcement. Under the false image, illegal transfers occur.
The only solution to avoid Coyote is to be wary of emails from unknown or strange senders. One tip is to check if the server (@empresa.com) matches the original website. Another is to have current versions of antivirus installed.
Around 90% of detections of the new virus occurred in Brazil, according to Kaspersky. Although it has local origins, the invading program has already been detected in other Latin American countries.
Brazilian cybercriminals are a global reference in programming banking trojans and exporting them. There are records of national viruses even in Australia.
Kaspersky alone recorded more than 18 million banking trojan attacks in 2023, almost double what was recorded in 2020.
In the rest of the world, this type of attack has lost ground due to the popularization of ransomware, attacks that hijack the databases of large companies to ask for high ransoms to return the information.
JBS, for example, paid US$11 million (R$55 million) to criminals who invaded its data centers in the USA.
Hijacking business systems requires a high investment of time and human resources.
Brazilian criminals, in general, prefer to dedicate themselves to attacks against individuals on a large scale due to greater technical ease, according to Assolini, from Kaspersky.
The adoption of these recent languages, such as nim, paves the way to increase the chance of cell phone infection by viruses. This, in addition to making the work of cybersecurity specialists more difficult, should challenge the defenses of banking apps — the current national preference for carrying out financial transactions, according to data from Febraban (Brazilian Federation of Banks).
Criminals, however, continue to target personal computers, as these machines are used in financial transactions by legal entities.
“Companies and public bodies move larger amounts of money, which increases cybercriminals’ earnings,” says Assolini.