TCLBANKER Banking Trojan Threatens 59 Financial Platforms Through WhatsApp and Outlook Worms
A newly identified Brazilian banking trojan, known as TCLBANKER, has emerged as a significant threat, targeting 59 banking, fintech, and cryptocurrency platforms. This malware, tracked by Elastic Security Labs under the identifier REF3076, represents a substantial evolution of the previously known Maverick malware family, which utilized a worm named SORVEPOTEL to propagate through WhatsApp Web to victims’ contacts. The Maverick campaign is linked to a threat cluster referred to as Water Saci by Trend Micro.
Technical Overview of TCLBANKER
At the heart of TCLBANKER’s attack vector is a sophisticated loader that showcases advanced anti-analysis capabilities. This loader deploys two key components: a fully functional banking trojan and a worm that exploits both WhatsApp and Microsoft Outlook for distribution. Researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus noted that the infection process involves bundling a malicious MSI installer within a ZIP file. These MSI packages exploit a legitimate signed Logitech application known as Logi AI Prompt Builder.
The malware employs DLL side-loading techniques to execute a malicious DLL named screen_retriever_plugin.dll. This DLL acts as a loader equipped with a “comprehensive watchdog subsystem,” continuously monitoring for analysis tools, sandboxes, debuggers, disassemblers, and antivirus software to evade detection. The malicious DLL is designed to execute only if loaded by either logiaipromptbuilder.exe (the Logitech program) or tclloader.exe (likely a testing executable). Furthermore, it removes user-mode hooks established by endpoint security solutions within ntdll.dll and disables Event Tracing for Windows (ETW) telemetry.
Evasion Techniques and Payload Delivery
TCLBANKER employs a series of anti-debugging and anti-virtualization checks, alongside system disk information and language checks, to generate three unique fingerprints. These fingerprints create an environment hash value that is crucial for decrypting the embedded payload. Notably, the malware checks that the user’s default language is Brazilian Portuguese. If a debugger is detected, it produces an incorrect hash, preventing the malware from executing successfully.
Once these checks are completed, the banking trojan activates, verifying its operation on a Brazilian system before establishing persistence through a scheduled task. It subsequently communicates with an external server via an HTTP POST request that includes basic system information.
Functionality and Data Theft Mechanisms
TCLBANKER features a self-update mechanism and a URL monitoring capability that extracts the current URL from the foreground browser’s address bar using UI Automation. This functionality targets popular web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi. The extracted URL is then matched against a hard-coded list of financial institutions. Upon a match, the malware establishes a WebSocket connection to a remote server, entering a command dispatch loop that allows operators to execute a variety of tasks, including:
- Running shell commands
- Capturing screenshots
- Starting/stopping screen streaming
- Manipulating the clipboard
- Launching a keylogger
- Remotely controlling mouse and keyboard
- Managing files and processes
- Enumerating running processes
- Listing visible windows
- Serving fake credential-stealing overlays
For data theft, TCLBANKER utilizes a Windows Presentation Foundation (WPF)-based full-screen overlay framework. This framework is designed for social engineering, employing credential harvesting prompts, vishing wait screens, fake progress bars, and counterfeit Windows Updates, while simultaneously evading detection by screen capture tools.
Propagation via WhatsApp and Outlook
In addition to its data theft capabilities, TCLBANKER employs a dual-propagation strategy. It utilizes a WhatsApp Web worm to hijack authenticated browser sessions and an Outlook email bot that exploits the victim’s Microsoft Outlook application to send phishing emails to their contacts. This method allows the malware to spread rapidly, leveraging the victim’s own contacts and accounts to distribute the trojanized installer.
The WhatsApp worm retrieves messaging templates from a server and utilizes the open-source project WPPConnect to automate message sending, filtering out groups, broadcasts, and non-Brazilian numbers. Meanwhile, the Outlook agent functions as an email spambot, sending phishing emails from the victim’s address to bypass spam filters and create an illusion of trust.
TCLBANKER can spam up to 3,000 contacts with the trojanized installer, effectively using the victim’s own accounts and contacts to propagate the malware, which traditional email gateways and reputation-based defenses struggle to detect.
Current Status and Future Implications
The REF3076 campaign appears to be in its early operational stages, with indications of debug logging paths, test process names, and an incomplete phishing site within the code. This suggests that the campaign is still under development and may evolve further.
TCLBANKER signifies a broader maturation within the Brazilian banking trojan ecosystem. Techniques that were once characteristic of more sophisticated threat actors—such as environment-gated payload decryption, direct syscall generation, and real-time social engineering orchestration over WebSocket—are now being integrated into more accessible crimeware.
The campaign’s ability to hijack victims’ WhatsApp sessions and Outlook accounts allows it to inherit the trust and deliverability of legitimate communications, creating a distribution model that traditional defenses are ill-equipped to combat.
For further details on this developing story, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
