Maverick, Coyote banking trojans significantly similar, report finds

Newly discovered Maverick banking trojan was found to have notable similarities with the Coyote malware, The Hacker News reports.

Aside from being based on .NET and targeting Brazilian banks and users, both Maverick and Coyote which are being deployed via WhatsApp Web also have the same encryption algorithm for banking URL decryption, according to a CyberProof analysis.

Threat actors delivered ZIP files with a Windows LNK file, which launched a cmd.exe or PowerShell to deactivate Microsoft Defender and User Account Control and fetch a .NET loader that deployed the SORVEPOTEL and Maverick modules, with the latter only installed in Brazil-based devices.

Such findings come after Water Saci attackers were reported by Trend Micro researchers to have employed a new infection chain that taps VB Script and PowerShell to compromise WhatsApp browser sessions and distribute a ZIP file that includes SORVEPOTEL.

"The infection methods and ongoing tactical evolution, along with the region-focused targeting, indicate that Water Saci is likely linked to Coyote, and both campaigns operate within the same Brazilian cybercriminal ecosystem," said Trend Micro.