In a significant evolution of cybercrime tactics, Akamai researchers have unveiled that the notorious Coyote banking trojan is now abusing Microsoft’s UI Automation (UIA) framework to harvest credentials from Brazilian banking and cryptocurrency users.
This marks the first time in-the-wild malware has been definitively confirmed to weaponize UIA, a framework originally designed to aid accessibility in applications on Windows systems.
Coyote, discovered in early 2024, is already infamous across Latin America for its adaptive credential-stealing capabilities.
However, this new variant demonstrates a leap in sophistication, leveraging UIA to stealthily extract sensitive information from browser windows and application UIs, thereby bypassing many conventional security defenses.
Technical Deep Dive: How Coyote Abuses UI Automation
Traditionally, Coyote targeted victims using the Windows API GetForegroundWindow() to detect active banking or crypto platforms.
Suppose the targeted application’s window title did not match its hardcoded list of 75 financial institutions. In that case, Coyote now escalates to using the UI Automation COM object a powerful yet under-monitored aspect of Windows.
By instantiating the UIAutomationCore.dll via COM, the malware gains programmatic access to all UI elements within the active window.
Coyote traverses through browser tabs or address bars as “child elements,” reading out visible web addresses.
It cross-checks these against its internal list of banks and crypto exchanges such as Banco do Brasil, Santander, Binance, and more.
Once a match is found, Coyote proceeds to extract login credentials or initiate further social engineering steps, sometimes even simulating clicks to redirect users to malicious sites.
This method is particularly alarming because UIA operates at a high privilege level for accessibility reasons.
According to security analysis, actions performed through UIA often evade standard Endpoint Detection and Response (EDR) tools, which view these manipulations as legitimate system activity rather than malware behavior.
Akamai researchers have confirmed that in their testing, EDR tools failed to flag such abuses of UIA.
Detection and Mitigation Strategies
Detecting UIA abuse remains challenging. However, administrators can use system monitoring to identify anomalous loading of UIAutomationCore.dll in unfamiliar processes.
Additionally, inspecting for suspicious UIA-named pipes on endpoints can provide clues to malicious activity. Akamai provides practical osquery scripts to automate such checks.
Ultimately, Coyote’s evolution showcases how quickly cybercriminals adopt innovative techniques, transforming legitimate accessibility tools into potent cyber-weapons.
Experts urge organizations and endpoint users to remain vigilant for UIA-driven abuses and to implement enhanced monitoring of accessibility frameworks.
