In the ever-evolving landscape of cyber threats, a formidable new player has emerged from Brazil: TCLBANKER. This previously undocumented banking trojan, meticulously tracked by Elastic Security Labs under the moniker REF3076, is sending ripples through the financial sector, capable of compromising a staggering 59 banking, fintech, and cryptocurrency platforms. Its emergence signals a significant leap in the sophistication of regional cybercrime, building upon the foundations of its predecessor, Maverick, and leveraging insidious worm components for widespread propagation.
The Evolution of a Digital Predator: From Maverick to TCLBANKER
TCLBANKER isn’t just another banking trojan; it’s a major upgrade to the notorious Maverick malware, a threat attributed to the “Water Saci” cluster by Trend Micro. This lineage suggests a well-organized and continuously developing threat actor group. At its core, TCLBANKER employs a highly robust loader, fortified with advanced anti-analysis capabilities, designed to deploy two critical embedded modules: a full-featured banking trojan and a cunning worm component that weaponizes popular communication platforms like WhatsApp and Microsoft Outlook for rapid dissemination.
Ingenious Infection: How TCLBANKER Gains Entry and Evades Detection
The Deceptive Delivery Mechanism
The initial infection chain for TCLBANKER is a masterclass in deception. It typically begins with a malicious MSI installer, cunningly bundled within a ZIP file. What makes this particularly insidious is the abuse of legitimate software. As security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus highlighted, “These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.” By leveraging DLL side-loading against this trusted application, TCLBANKER launches its malicious payload, “screen_retriever_plugin.dll,” masquerading as a legitimate component.
A Fortress of Stealth and Evasion
Once active, TCLBANKER’s loader transforms into a “comprehensive watchdog subsystem.” This sophisticated mechanism constantly scans for and thwarts analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software, ensuring its operations remain undetected. The malicious DLL is meticulously programmed to execute only when loaded by either “logiaipromptbuilder.exe” or “tclloader.exe” (likely a testing executable). Further demonstrating its advanced evasion tactics, it actively removes usermode hooks placed by endpoint security software within “ntdll.dll” and disables Event Tracing for Windows (ETW) telemetry.
Adding another layer of complexity, TCLBANKER generates three unique fingerprints based on anti-debugging, anti-virtualization, system disk information, and language checks. These are combined to create an environment hash, crucial for decrypting its embedded payload. A critical detail: the system language check specifically mandates Brazilian Portuguese, a clear indicator of its targeted geographical focus. As Elastic explains, “if a debugger is present, it will produce an incorrect hash, so when the malware attempts to derive the decryption keys from the hash, the payload will not decrypt correctly, and TCLBANKER will stop executing.”
A Multi-Faceted Attack: Command, Control, and Credential Theft
After successfully bypassing these initial checks and confirming its Brazilian operating environment, the banking trojan establishes persistence through a scheduled task. It then initiates communication with an external command-and-control server, sending basic system information via HTTP POST requests. TCLBANKER is also equipped with a self-update mechanism, ensuring it remains current and resilient against evolving defenses.
A key feature is its URL monitor, which uses UI Automation to extract the current URL from the foreground browser’s address bar. This targets a wide array of popular browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi. If the extracted URL matches a hard-coded list of targeted financial institutions, the trojan establishes a WebSocket connection to its remote server, entering a command dispatch loop. This empowers the operator with an extensive toolkit of malicious capabilities:
- Executing arbitrary shell commands
- Capturing screenshots and streaming screen content
- Manipulating the victim’s clipboard
- Launching a keylogger to capture keystrokes
- Remotely controlling the mouse and keyboard
- Managing files and processes on the compromised system
- Enumerating running processes and visible windows
- Serving deceptive, full-screen overlays to steal credentials
For data theft, TCLBANKER employs a sophisticated Windows Presentation Foundation (WPF)-based full-screen overlay framework. This allows it to conduct highly convincing social engineering attacks, presenting fake credential harvesting prompts, vishing wait screens, bogus progress bars, and even counterfeit Windows Update screens, all while cleverly hiding these overlays from screen capture tools.
The Worm Spreads: WhatsApp and Outlook Exploited for Mass Propagation
In parallel with its direct attack capabilities, TCLBANKER’s loader activates a potent worming module designed for large-scale propagation via spam and phishing messages. This module employs a dual-pronged approach:
- WhatsApp Web Worm: This component hijacks authenticated WhatsApp Web browser sessions. Similar to its predecessor SORVEPOTEL, it retrieves messaging templates from the C2 server and leverages the open-source WPPConnect project to automate sending messages to the victim’s contacts. Crucially, it filters out groups, broadcast lists, and non-Brazilian phone numbers, ensuring a highly targeted and effective spread within its primary region.
- Outlook Email Bot: The second component is an email spambot that abuses the victim’s installed Microsoft Outlook application. By sending phishing emails directly from the victim’s own email address, it effectively bypasses traditional spam filters and lends an illusion of trust to the malicious messages, significantly increasing the likelihood of further infections.
The Broader Implications: A Maturing Threat Landscape
Elastic’s analysis concludes that TCLBANKER represents a “broader maturation happening across the Brazilian banking trojan ecosystem.” What were once the exclusive hallmarks of highly sophisticated threat actors—such as environment-gated payload decryption, direct syscall generation, and real-time social engineering orchestration over WebSocket—are now being integrated into commodity crimeware. This trend underscores a concerning democratization of advanced cyberattack techniques, making it imperative for individuals and organizations to bolster their defenses against increasingly sophisticated and accessible threats.
For more details, visit our website.
Source: Link
Leave a comment