Security researchers have identified a new Brazilian banking trojan named TCLBANKER, which is capable of targeting 59 different banking, fintech, and cryptocurrency platforms. This malware is being tracked by Elastic Security Labs under the identifier REF3076 and is considered a significant update to the previously known Maverick trojan.
Propagation Methods
TCLBANKER employs a worm component called SORVEPOTEL to spread through WhatsApp Web, targeting the contacts of infected users. The malware utilizes a loader with advanced anti-analysis features that deploys two main components: a banking trojan and a worm. The infection process begins with a malicious MSI installer, which is packaged within a ZIP file. This installer abuses a signed Logitech program called Logi AI Prompt Builder to execute a malicious DLL, named screen_retriever_plugin.dll.
Anti-Analysis Techniques
The malicious DLL is designed to evade detection by monitoring for analysis tools and antivirus software. It will only execute if loaded by specific executables, and it actively removes usermode hooks placed by security software. The malware also generates unique fingerprints based on various system checks, including language settings, ensuring it primarily targets Brazilian users.
Functionality and Data Theft
Once activated, the banking trojan establishes persistence on the system and communicates with an external server to send basic system information. It includes a self-update mechanism and monitors the URLs in the foreground browser. If a user navigates to a targeted financial institution, TCLBANKER can initiate a command dispatch loop, allowing the operator to execute various malicious tasks, such as running shell commands, capturing screenshots, and stealing credentials through fake overlays.
Worming Capabilities
TCLBANKER also features a worming module that propagates the trojan via spam and phishing messages. It uses WhatsApp Web to hijack authenticated sessions and Microsoft Outlook to send phishing emails from the victim’s account, thereby bypassing traditional spam filters. This dual approach enhances the malware’s distribution effectiveness.
Elastic Security Labs notes that TCLBANKER represents a notable evolution within the Brazilian banking trojan landscape, incorporating sophisticated techniques that were previously associated with more advanced threat actors. This development poses a significant challenge for traditional email gateways and reputation-based defenses.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
