Hackers Exploit Windows 11 Accessibility Feature, Steal Banking Details

This version of the Coyote banking trojan can capture keystrokes, take screenshots, and display fake login screens over banking websites to trick users into divulging personal information.

A new version of the Coyote banking trojan is targeting Windows users in Brazil, and it uses an insidiously novel technique. Security researchers at Akamai report that this malware takes advantage of a Microsoft accessibility tool called UI Automation (UIA), which allows screen readers and other tools to "see" what's happening on a user's screen.

Usually, UIA is a legitimate part of Microsoft’s .NET Framework, but Coyote uses it to look for and steal usernames and passwords from banking websites and cryptocurrency platforms. According to Akamai, the malware checks which window a user is looking at using the GetForegroundWindow() command, then compares the window’s details with a list of 75 target banks and crypto exchanges. If the window name ...