TCLBANKER: Sophisticated Brazilian Banking Trojan Spreads Like a Worm to Target 59 Financial Platforms

Executive Summary

Security researchers have identified a new and highly sophisticated Brazilian banking trojan named TCLBANKER. Tracked as REF3076 by Elastic Security Labs, the malware is an evolution of the 'Maverick' malware family, previously associated with the threat actor Water Saci. TCLBANKER targets an extensive list of 59 financial, fintech, and cryptocurrency platforms primarily in Brazil. Its attack chain is notable for its use of DLL side-loading against a legitimate Logitech application, robust anti-analysis and anti-VM capabilities, and a worm-like propagation mechanism that hijacks a victim's WhatsApp and Microsoft Outlook applications to spread to new targets. The malware's final payload only activates on systems set to Brazilian Portuguese, indicating a highly targeted campaign.

Threat Overview

TCLBANKER represents a significant threat to the Brazilian financial sector due to its sophistication and propagation method. The attack begins with a user downloading a ZIP file containing a malicious MSI installer. This installer bundles a legitimate, signed program, 'Logi AI Prompt Builder,' which is vulnerable to DLL side-loading.

The malware's propagation is particularly effective. It leverages a worm component, an evolution of the SORVEPOTEL worm, to spread through trusted communication channels. By hijacking active WhatsApp Web sessions and the Outlook desktop client, it sends phishing messages with the malicious installer to the victim's entire contact list—potentially up to 3,000 contacts. This method bypasses traditional security gateways and leverages social trust, dramatically increasing the likelihood of successful infection.

Technical Analysis

The TCLBANKER attack chain is multi-staged and complex:

1. Initial Access: The victim is lured into downloading and executing a malicious MSI installer from a ZIP file (T1566.001).
2. Defense Evasion (DLL Side-Loading): The MSI installer drops a legitimate, signed executable from Logitech (Logi AI Prompt Builder.exe) and a malicious DLL. When the executable is run, it loads the malicious DLL instead of the legitimate one (T1574.002).
3. Anti-Analysis: The malicious loader is packed with extensive anti-analysis features. It includes a "watchdog subsystem" that continuously scans for debuggers, sandboxes, analysis tools, and antivirus software. It actively removes security software hooks from system libraries and disables Windows telemetry to avoid detection (T1497, T1622).
4. Targeted Execution: The malware performs several checks before deploying its final payload. It verifies it is being loaded by the correct process and confirms the system's default language is Brazilian Portuguese (LANG_PORTUGUESE_BRAZILIAN) (T1497.003).
5. Payload Deployment: If all checks pass, two main components are deployed: the core banking trojan and the worm.
6. Lateral Movement (Worm): The worm component hijacks the victim's active WhatsApp Web session and Microsoft Outlook application. It iterates through the contact list and sends phishing messages containing the trojanized installer, facilitating its spread (T1598.003).
7. Credential Access: The banking trojan component is designed to steal credentials and manipulate sessions for the 59 targeted financial applications.

MITRE ATT&CK Mapping

Impact Assessment

The potential impact of TCLBANKER on individuals and financial institutions in Brazil is substantial. For individuals, a successful infection can lead to direct financial loss through fraudulent transactions, theft of banking credentials, and compromise of cryptocurrency wallets. The worm's propagation method also carries a significant reputational risk for the victim, as their accounts are used to attack their own contacts.

For the 59 targeted financial institutions, this malware represents a major threat to their customers and their platform's integrity. The widespread nature of the attack could lead to a surge in fraud cases, increased operational costs for customer support and reimbursement, and a loss of customer trust in their digital banking platforms. The malware's ability to spam up to 3,000 contacts per infection means it can spread exponentially, quickly reaching a large portion of the user base.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect TCLBANKER activity:

Detection & Response

Detection:

1. Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting DLL side-loading. Create rules to alert on legitimate, signed processes (like Logi AI Prompt Builder.exe) loading unsigned or untrusted DLLs from the same directory.
2. Behavioral Analysis: Monitor for processes that attempt to read WhatsApp or Outlook data files and simultaneously make network connections. This behavior is highly indicative of session hijacking.
3. Script Logging: Enable enhanced PowerShell and script block logging. The worm component may use scripting to automate interactions with Outlook and WhatsApp, which would be visible in these logs.
4. Language Check: While specific to this malware, an EDR rule that flags any process checking the system language and then performing sensitive actions could be a useful heuristic for targeted threats.

Response:

1. Isolate: Disconnect the infected machine from the network immediately to stop the worm from spreading.
2. Terminate Sessions: Log out of all active web sessions, especially WhatsApp Web, and revoke any linked devices.
3. Change Passwords: Change passwords for all financial applications, email, and other sensitive accounts accessed from the compromised machine.
4. Forensic Analysis: Analyze the machine to identify the initial infection vector and ensure all components of the malware are removed.

Mitigation

Strategic Mitigation:

• Execution Prevention (M1038): Use application control solutions to prevent the execution of unauthorized applications and installers. This can block the initial MSI file from running.
• Attack Surface Reduction Rules: Enable ASR rules, such as "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" and "Block Office applications from creating child processes."
• User Training (M1017): Train users to be suspicious of unsolicited ZIP files and messages, even if they appear to come from a trusted contact.

Tactical Mitigation:

1. File Extension Visibility: Ensure Windows is configured to show file extensions, so users can distinguish an executable from a document.
2. Limit Local Admin Rights: Prevent users from installing software. This would stop the malicious MSI installer from running with the necessary privileges.
3. Regularly Review Linked Devices: Periodically check the "Linked Devices" section in WhatsApp to ensure no unauthorized sessions are active.