What happened
Elastic Security Labs has documented a new Brazilian banking trojan called TCLBanker, tracked under campaign REF3076, that combines credential theft targeting 59 banking, fintech, and cryptocurrency platforms with self-spreading worm modules that propagate the malware autonomously through victims’ own WhatsApp and Microsoft Outlook accounts.
The malware is delivered through a trojanized MSI installer disguised as Logitech’s Logi AI Prompt Builder software, bundled inside a ZIP file. A malicious DLL named screen_retriever_plugin.dll masquerades as a legitimate Flutter plugin and is sideloaded when the Logitech application launches, deploying two embedded .NET Reactor-protected payloads: a banking trojan module and the worm propagation module.
The WhatsApp worm module scans Chromium browser profiles for authenticated WhatsApp Web session data stored in IndexedDB, clones the session without requiring QR-code reauthentication, and launches a hidden browser instance that bypasses bot detection using injected JavaScript. It then harvests the victim’s contact list, filters for Brazilian phone numbers, and sends phishing messages and malicious files from the victim’s own account. The Outlook worm module uses COM automation to launch Outlook, harvest contacts and sender addresses, and distribute phishing emails through the victim’s email account without user interaction.
The banking trojan component uses a WPF-based overlay system to present victims with fake credential prompts, PIN keypads, phone number collection forms, fake bank support screens, and fake Windows Update screens. Cutout overlays allow selected portions of real applications to remain visible while masking others. TCLBanker includes extensive anti-analysis protections with environment-dependent payload decryption routines that fail in sandbox and analyst environments. Elastic assesses TCLBanker as a major evolution of the MAVERICK/SORVEPOTEL banking malware family. While currently focused on Brazil through locale and timezone checks, Elastic notes that LATAM malware families have historically expanded their targeting scope over time.
Who is affected
Brazilian users of banking, fintech, and cryptocurrency platforms are the current primary targets, with the malware specifically filtering for Brazilian phone numbers during its WhatsApp propagation phase. The self-spreading mechanism means any contact of an infected victim faces exposure regardless of their own browsing behavior. Organizations whose employees use WhatsApp Web or Outlook on Windows systems face indirect risk through the propagation chain.
Why CISOs should care
TCLBanker’s self-spreading mechanism converts every infection into a distribution node that sends phishing messages from a trusted account to the victim’s entire contact list. Recipients receiving a message or email from a known colleague with a malicious attachment have significantly reduced instinct to question it. This social trust exploitation scales the campaign without requiring the operators to identify or target new victims directly.
The WPF overlay system is also worth noting for organizations in financial services. Fake credential prompts and cutout overlays that mask portions of real banking interfaces are specifically designed to intercept credentials at the moment of legitimate user action, making them difficult to distinguish from the real application.
3 practical actions
- Block unauthorized COM automation access to Outlook and restrict Chromium browser profile access from non-browser processes: TCLBanker’s worm modules rely on COM automation for Outlook and direct access to browser profile directories for WhatsApp session hijacking. Endpoint controls that flag non-browser processes reading Chromium IndexedDB data or initiating Outlook COM automation outside of authorized applications can detect this activity before propagation occurs.
- Brief employees on the risk of malicious files arriving via WhatsApp or email from known contacts: TCLBanker’s propagation makes social trust the primary vulnerability. Train employees to treat unexpected file attachments and download links from known contacts with the same scrutiny applied to unknown senders, particularly for ZIP files or MSI installers.
- Monitor for DLL sideloading patterns involving signed legitimate applications: TCLBanker uses a signed Logitech binary to load a malicious DLL. Endpoint detection rules that flag signed applications loading DLLs from non-standard paths or exhibiting network behavior inconsistent with their function provide a detection surface for this class of attack regardless of the specific lure application used.​​​​​​​​​​​​​​​​
Also in the news today:
-
- Fake Claude AI Website Delivers New Beagle Windows Backdoor via Malvertising
- NVIDIA Confirms GeForce NOW Data Breach Affecting Armenian Regional Partner
- Zara Data Breach Exposed Personal Information of 197,000 People
- Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks
- Australia Warns of ClickFix Attacks Pushing Vidar Stealer Malware
- Polish Intelligence Warns Hackers Attacked Water Treatment Control Systems
