TCLBANKER Malware Spreads via WhatsApp and Outlook Worm Modules
Key Takeaways TCLBANKER, an advanced Brazilian banking trojan, is actively spreading through a new campaign, REF3076. The malware leverages a DLL side-loading technique using a digitally signed...
Key Takeaways
- TCLBANKER, an advanced Brazilian banking trojan, is actively spreading through a new campaign, REF3076.
- The malware leverages a DLL side-loading technique using a digitally signed Logitech installer to gain initial access.
- It features sophisticated worm modules that self-propagate via compromised WhatsApp Web sessions and Microsoft Outlook accounts.
- TCLBANKER targets 59 distinct financial institutions, fintech platforms, and cryptocurrency websites.
- Attackers utilize serverless cloud infrastructure, including Cloudflare Workers, for command-and-control and file hosting, complicating detection and blocking efforts.
Sophisticated Brazilian Banking Trojan, TCLBANKER, Employs WhatsApp and Outlook Worms for Rapid Spread
A highly evolved Brazilian banking trojan, now identified as TCLBANKER, is actively circulating under the campaign codename REF3076. This malware represents a significant evolution from its predecessors, the Maverick and SORVEPOTEL families, distinguishing itself through an innovative infection vector and advanced self-propagation capabilities via popular communication platforms like WhatsApp and Microsoft Outlook.
Table Of Content
- Key Takeaways
- Sophisticated Brazilian Banking Trojan, TCLBANKER, Employs WhatsApp and Outlook Worms for Rapid Spread
- Initial Infection and Evasion Techniques
- Financial Targets and Credential Theft
- Worm Modules: WhatsApp and Outlook Propagation
- Cloud Infrastructure and Evolving Threat
- What You Should Do
Initial Infection and Evasion Techniques
The infiltration process begins when a user downloads a malicious ZIP archive. Inside this archive lies an installer designed to exploit a legitimate, digitally signed Logitech program, specifically “Logi AI Prompt Builder.” The attackers employ a DLL side-loading technique, tricking the authentic Logitech application into loading a malicious dynamic-link library instead of its intended system components. Once this hidden loader is active, it establishes control over the compromised system, preparing it for subsequent attack stages.
TCLBANKER incorporates robust anti-analysis mechanisms to evade detection. Before fully deploying its payload, it performs extensive checks for security sandboxes, debugging tools, virtual machine environments, and specific antivirus software. Furthermore, the malware verifies the system’s language and time zone, ensuring the victim is indeed located in Brazil. If these environmental checks do not align with a genuine Brazilian user setup, the payload decryption is aborted, effectively concealing the malware from automated security scanners and researchers.
Financial Targets and Credential Theft
Upon confirming it is operating within a legitimate victim’s environment, TCLBANKER deploys its core banking trojan functionalities. This component actively monitors the user’s web browser activity, specifically looking for visits to any of 59 predefined banking institutions, financial technology platforms, or cryptocurrency trading websites. When a match is detected, the malware initiates communication with a remote command-and-control server.
To steal sensitive credentials, the trojan utilizes full-screen overlays crafted with Microsoft’s Windows Presentation Foundation. These deceptive overlays mimic authentic banking prompts or official Windows Update screens, covering the entire desktop. They are designed to freeze the user interface, disable critical keyboard shortcuts (such as the Windows key and Escape), and prevent screen-capture tools from functioning. This coercive method forces victims to input their security codes or personal identification numbers directly into the attacker’s fake interface, thereby compromising their accounts.
Worm Modules: WhatsApp and Outlook Propagation
A critical feature enhancing TCLBANKER’s danger is its sophisticated self-propagation capability. The first worm module targets WhatsApp Web. The malware scans the infected computer for active web browsers, including Chrome and Edge, to identify logged-in WhatsApp sessions. Rather than requiring a new QR code scan, the malware covertly clones the existing session data. It then opens a hidden browser window, circumvents bot detection mechanisms, and sends phishing messages containing the malware file directly to the victim’s WhatsApp contacts. The messages originate from a trusted source, significantly increasing the likelihood of new victims downloading the malicious attachment.
The second worm module focuses on email propagation through Microsoft Outlook. It silently launches Outlook in the background and exploits Windows COM automation to seize complete control of the victim’s email account. The bot systematically harvests contacts from the address book and inbox. It then generates new phishing emails, dispatching them from the infected user’s actual email address. This technique effectively bypasses conventional email security filters, as the malicious emails originate from a trusted and legitimate sender.
Cloud Infrastructure and Evolving Threat
The command and control infrastructure for TCLBANKER’s malicious operations is managed through serverless cloud tools, specifically Cloudflare Workers. This strategy allows the attackers to rapidly change their server endpoints, making it difficult for simple network defenses to block them. Furthermore, the malicious files are hosted on Cloudflare, lending a deceptive sense of legitimacy to the download links for unsuspecting users. Researchers observe that this campaign appears to be in its nascent stages, suggesting that the threat actors are likely preparing to broaden their attack scope and target base.
What You Should Do
- Monitor for unusual background processes initiated by legitimate applications, particularly those from Logitech, as this could indicate DLL side-loading.
- Implement and regularly review advanced endpoint detection and response (EDR) solutions capable of identifying unauthorized browser profile cloning and suspicious outbound email activity from applications like Microsoft Outlook.
- Educate users about the dangers of phishing, especially messages containing attachments or links received from unexpected sources, even if they appear to come from trusted contacts.
- Be vigilant for full-screen overlays that prevent interaction with the desktop or block keyboard shortcuts; these are strong indicators of credential theft attempts.
- Ensure all operating systems, web browsers, and communication applications (like WhatsApp Desktop and Microsoft Outlook) are kept up-to-date with the latest security patches.
- Consider implementing multi-factor authentication (MFA) on all financial accounts and communication platforms to add an extra layer of security against compromised credentials.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.