Security researchers have identified a new Brazilian banking trojan called TCLBANKER, which can target 59 banking, fintech, and cryptocurrency platforms.
Elastic Security Labs is tracking this threat under the name REF3076. The malware is believed to be a significant upgrade of Maverick, a trojan that uses a worm named SORVEPOTEL to spread through WhatsApp Web to a victim’s contacts. Trend Micro links the Maverick campaign to a threat group they call Water Saci.
The attack begins with a loader that has strong anti-analysis features. This loader deploys two built-in modules: a fully-featured banking trojan and a worm that spreads through WhatsApp and Microsoft Outlook.
“The infection process starts with a malicious MSI installer hidden inside a ZIP file,” explained security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus. “These MSI packages exploit a signed Logitech application called Logi AI Prompt Builder.”
The malware uses DLL side-loading to run a malicious DLL file named “screen_retriever_plugin.dll.” This DLL acts as a loader with a “comprehensive watchdog subsystem” that constantly watches for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus programs to avoid being detected.
The malicious DLL will only run if it is loaded by either “logiaipromptbuilder.exe” (the Logitech program) or “tclloader.exe” (likely a test executable). It also removes any usermode hooks set by endpoint security software in “ntdll.dll” by replacing the library and turns off Event Tracing for Windows (ETW) telemetry.
Additionally, the malware creates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information, and language settings. These are combined to generate an environment hash value used to decrypt the embedded payload. The language check confirms the user’s default language is Brazilian Portuguese.
“For instance, if a debugger is detected, it will generate an incorrect hash. When the malware tries to derive decryption keys from this hash, the payload will fail to decrypt properly, and TCLBANKER will halt execution,” Elastic noted.
Once these checks pass, the main banking trojan component launches. It first verifies the system is Brazilian, then sets up persistence through a scheduled task. After that, it sends an HTTP POST request with basic system details to an external server.
TCLBANKER also includes a self-update feature and a URL monitor that reads the current URL from the active browser’s address bar using UI Automation. This targets popular browsers including Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.
The captured URL is compared against a built-in list of targeted financial institutions. If a match is found, it opens a WebSocket connection to a remote server and enters a command loop, allowing the attacker to carry out various actions:
- Execute shell commands
- Take screenshots
- Start or stop screen streaming
- Control the clipboard
- Activate a keylogger
- Remotely control the mouse and keyboard
- Manage files and processes
- List running processes
- Enumerate visible windows
- Display fake credential-stealing overlays
For stealing data, TCLBANKER uses a Windows Presentation Foundation (WPF)-based full-screen overlay framework to run social engineering attacks. These include credential harvesting prompts, vishing wait screens, fake progress bars, and bogus Windows Update screens, all while hiding overlays from screen capture tools.
At the same time, the loader activates the worm module to spread the trojan through mass spam and phishing messages. It uses a dual approach: a WhatsApp Web worm that takes over authenticated browser sessions and an Outlook email bot that misuses Microsoft Outlook to send fake emails to the victim’s contacts.
Similar to SORVEPOTEL, the WhatsApp worm fetches a message template from the server and uses the open-source WPPConnect project to automatically send messages to other users, while filtering out groups, broadcasts, and non-Brazilian numbers.
The Outlook agent functions as an email spambot that exploits the victim’s installed Microsoft Outlook to send phishing emails from their address. This helps bypass spam filters and makes the messages appear more trustworthy.
“TCLBANKER shows how the Brazilian banking trojan ecosystem is maturing,” Elastic concluded. “Techniques once used only by advanced threat actors—such as environment-gated payload decryption, direct syscall generation, and real-time social engineering over WebSocket—are now being bundled into widely available crimeware.”
“By hijacking victims’ WhatsApp sessions and Outlook accounts, the campaign gains the trust and deliverability of legitimate communications. Traditional email gateways and reputation-based defenses are poorly suited to detect this distribution method.”
