New TCLBanker malware self-spreads over WhatsApp and Outlook
Source: Bleeping Computer
Overview
A new trojan named TCLBanker, which targets 59 banking, fintech, and cryptocurrency platforms, uses a trojanized MSI installer for Logitech AI Prompt Builder to infect systems. The malware also includes self‑spreading worm modules for WhatsApp and Outlook that automatically infect new victims.
The new banking trojan was discovered by Elastic Security Labs, whose researchers believe it’s a major evolution of the older Maverick/Sorvepotel malware family. While TCLBanker currently appears focused in Brazil—checking timezone, keyboard layout, and locale—LATAM malware has, in the past, been updated to broaden its targeting scope, so the risk of the threat expanding is real.
TCLBanker capabilities
Elastic warns that TCLBanker is extremely well protected against analysis and debugging, featuring environment‑dependent payload decryption routines that fail in sandboxes or analyst environments. It also runs a persistent watchdog thread that continuously hunts for analysis tools like x64dbg, IDA, dnSpy, Frida, ProcessHacker, Ghidra, de4dot, and others.
Monitoring for targeted processes – Source: Elastic
The malware is loaded within the context of the legitimate Logitech application via DLL side‑loading, so it won’t trigger any alarms from security products protecting the infected host. The loader is feature‑rich but not truly advanced; code artifacts suggest AI may have been used in its development.
The banking module monitors the browser address bar every second using Windows UI Automation APIs, watching for when the victim opens a website of one of its 59 targeted platforms. When that happens, it establishes a WebSocket session with the command‑and‑control (C2) server, sends victim and system information, and starts remote control operations.
Capabilities available to operators
- Live screen streaming
- Screenshot capturing
- Keylogging
- Clipboard hijacking
- Shell command execution
- Window management
- File system access
- Process enumeration
- Remote mouse/keyboard control
During active sessions, the Task Manager process is killed to prevent disruptions and hide the malicious activity from the victim.
To support data theft, TCLBanker uses a WPF‑based overlay system that can push fake credential prompts, PIN keypads, phone‑number collection forms, fake “bank support” waiting screens, fake Windows Update screens, and various fake progress screens. “Cutout” overlays stay on top, allowing only selected portions of real applications to be shown while masking other parts.
Generating a fake Windows update overlay – Source: Elastic
WhatsApp and Outlook worms
An interesting aspect of TCLBanker is its ability to propagate autonomously to contacts linked to the primary victim.
The malware searches Chromium browser profiles for authenticated WhatsApp Web IndexedDB data and launches a hidden Chromium instance that hijacks the victim’s account.
Hijacking WhatsApp accounts – Source: Elastic
It then harvests contacts, filters for Brazilian numbers, and sends spam messages from the victim’s account, leading recipients to TCLBanker distribution platforms.
Another worm module abuses Microsoft Outlook through COM automation, launching the app, harvesting contacts and sender addresses, and sending phishing emails through the victim’s email account.
Harvesting Outlook contacts – Source: Elastic
Elastic concludes that TCLBanker is a characteristic example of the evolution of LATAM malware, offering lower‑tier cybercriminals features that were once only available in highly sophisticated tools.