Hi All

In fact, Akamai says Coyote is the first piece of malware to abuse the UIA framework.

The malware has been around since at least February 2024, being used to target Windows devices in Latin America. It leverages keylogging and phishing overlays to collect victims’ data, particularly credentials for banking and cryptocurrency services. 

UIA is an accessibility framework for Windows applications, providing programmatic access to UI elements on the desktop. “It enables assistive technology products, such as screen readers, to provide information about the UI to end users and to manipulate the UI by means other than standard input,” according to Microsoft.

Akamai warned in December 2024 that threat actors could exploit UIA for malicious purposes by getting a user to run a specially crafted application that leverages the framework. 

The company’s researchers showed how an attacker could abuse UIA for stealthy command execution, browser redirections, and sensitive data theft. Attacks work on any version of Windows since XP and they can bypass endpoint detection and response solutions. 

Akamai recently discovered that the risk is not just theoretical, and malware developers have started abusing UIA, with Coyote apparently being the first piece of malware to do so in the wild.

While UIA could be abused to steal sensitive data, Coyote developers are abusing it to determine which financial services are being used by the victim. The malware first uses a Windows API to obtain the title of opened windows in an effort to see if they match a list of hard coded website addresses associated with banks and cryptocurrency services. 

https://www.securityweek.com/coyote-banking-trojan-first-to-abuse-microsoft-uia/

Regards

Caute_Cautim