TCLBANKER Banking Trojan Targets Financial Platforms with WhatsApp and Outlook Worms

Threat hunters have flagged a previously undocumented Brazilian banking trojan called TCLBANKER able to target 59 banking, fintech, and cryptocurrency platforms.

The work is carried out by Elastic Security Labs under the moniker REF3076. The malware family is considered a major update of Maverick, known for helping a worm called SORVEPOTEL to spread through WhatsApp Web to the victim’s contacts. The Maverick campaign is caused by a threat group Trend Micro calls Water Saci.

At the core of the attack chain is a powerful anti-analysis loader that uses two embedded modules: a full-featured banking Trojan and a worm component that uses WhatsApp and Microsoft Outlook to spread.

“The observed infection chain consists of a malicious MSI installer inside a ZIP file,” said security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus. “These MSI installer packages abuse Logitech’s signature program called Logi AI Prompt Builder.”

The malware uses DLL sideloading in the application to execute a malicious DLL (“screen_retriever_plugin.dll”), which acts as a loader with a “watchdog subsystem” that constantly monitors analysis tools, sandboxes, debuggers, uninstallers, toolkits, and antivirus software to avoid detection.

Specifically, the malicious DLL will only execute if it is loaded by “logiapromptbuilder.exe” (a Logitech program) or “tclloader.exe” (a possible reference to the executable used during the test). It also removes any user-mode hooks placed by endpoint security software within “ntdll.dll” by installing the library and disables Event Tracing for Windows (ETW) telemetry.

In addition, the malware generates three fingerprints based on anti-debugging tests as well as virtualization tests, system disk information tests, and language tests, which are used to create a natural hash value used to decrypt the embedded payload. Checking the system language confirms that the user’s default language is Brazilian Portuguese.

“For example, if the debugger is present, it will generate the wrong hash, so when the malware tries to find the decryption keys in the hash, the payload will not decrypt properly, and TCLBANKER will stop working,” explained Elastic.

The main part introduced after this test is a banking trojan that reconfirms whether it works with the Brazilian system, and then continues to find persistence using a programmed function. Next, it flashes an external server with an HTTP POST request that contains basic system information.

TCLBANKER also includes an auto-update mechanism and a URL monitor that outputs the current URL to the front-end browser address bar using UI Automation. This move targets popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.

The extracted URL is matched against a hard-coded list of targeted financial institutions. If there is a match, it establishes a WebSocket connection to the remote server and enters the command dispatch loop, allowing the operator to perform a wide range of tasks –

• Run shell commands
• Take screenshots
• Start/stop screencasting
• Record the clipboard
• Launch the keylogger
• Remotely control the mouse/keyboard
• Manage files and processes
• List the active processes
• List the visible windows
• Serve overlays to steal fake credentials

To steal data, TCLBANKER relies on a full-screen overlay framework based on Windows Presentation Foundation (WPF) to perform social engineering using harvest credentials, unexpected waiting screens, fake progress bars, and fake Windows updates, all while hiding the overlay from screenshot tools.

In parallel, the loader asks the worming module to spread trojan spam and phishing messages at scale. It uses a two-pronged approach that includes a WhatsApp Web worm that steals authenticated browser sessions and an Outlook email worm that exploits Microsoft Outlook to send fake emails to contacts.

As in the case of SORVEPOTEL, the WhatsApp worm receives a message template from the server and uses the open source project WPPConnect to automatically send messages to other users, while filtering groups, streams, and non-Brazilian numbers.

Outlook agent, on the other hand, is an email spambot that abuses the victim’s installed Microsoft Outlook program to send phishing emails to the victim’s email address, thus bypassing spam filters and giving messages the illusion of trust.

“TCLBANKER shows the broad maturity that is taking place throughout the Brazilian trojan ecosystem,” concludes Elastic. “The tactics were typical of the most dangerous actors: decryption of payloads in the environment, direct syscall generation, real-time orchestration of social engineering via WebSocket, now integrated into commodity crimeware.”

“The campaign gains trust and the delivery of legitimate communications by hijacking victims’ WhatsApp sessions and Outlook accounts. This is a model for traditional email distribution and reputation-based defenses are ill-equipped to handle.”