Threat hunters have identified a previously undocumented Brazilian banking Trojan that has been dubbed tclbanker It is capable of targeting 59 banking, fintech, and cryptocurrency platforms.
The activity is being tracked by Elastic Security Labs under the alias REF3076. The malware family is believed to be a major update of Maverick, which is known to leverage a worm called SORVEPOTEL to spread through WhatsApp Web to a victim’s contacts. The Maverick campaign is attributed to a threat group that Trend Micro calls Water Sassy.
At the core of the attack chain is a loader with strong anti-analysis capabilities that deploys two embedded modules: a full-featured banking Trojan and a worm component that uses WhatsApp and Microsoft Outlook to spread.
“The observed infection chain bundles a malicious MSI installer inside a zip file,” said security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin and Terrence DeJesus. “These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.”
The malware takes advantage of DLL side-loading against the application to launch a malicious DLL (“screen_retriever_plugin.dll”), which acts as a loader with an “extensive watchdog subsystem” that continuously monitors analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to ensure detection.
Specifically, the malicious DLL would only execute if it was loaded by “logiapromptbuilder.exe” (a Logitech program) or “tclloader.exe” (likely a reference to the executable used during testing). This removes any user mode hooks placed by the endpoint protection software within “ntdll.dll” by replacing the library and disables Event Tracing for Windows (ETW) Telemetry.
Additionally, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks, using them to create an environment hash value that is used to decrypt the embedded payload. The system language check ensures that the user’s default language is Brazilian Portuguese.
“For example, if a debugger is present, it will generate an incorrect hash, so when the malware attempts to derive the decryption key from the hash, the payload will not decrypt correctly, and TCLBANKER will stop executing,” Elastic explained.
The main component launched after these checks is the banking trojan which once again verifies whether it is running on Brazilian systems, and then proceeds to establish persistence using a scheduled task. Next, it signals an external server with an HTTP POST request containing basic system information.
TCLBANKER also includes a self-updating mechanism and a URL monitor that extracts the current URL from the address bar of the foreground browser using UI automation. The move targets popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.
The extracted URLs are matched against a hard-coded list of targeted financial institutions. If there is a match, it establishes a WebSocket connection to a remote server and enters the command dispatch loop, enabling the operator to perform a wide range of tasks –
- run shell command
- capture screenshot
- Start/Stop Screen Streaming
- manipulate clipboard
- launch a keylogger
- Control mouse/keyboard remotely
- Manage files and processes
- Count running processes
- List visible windows
- Serve fake credential-stealing overlays
To steal data, TCLBANKER relies on the Windows Presentation Foundation (WPF)-based full-screen overlay framework to perform social engineering by using credential harvesting prompts, wishing wait screens, fake progress bars, and fake Windows updates while hiding the overlay from screen capture tools.
In tandem, the loader invokes the warming module to propagate the Trojan through mass spam and phishing messages. It takes a two-pronged approach that includes a WhatsApp web worm that hijacks authenticated browser sessions and an Outlook email bot that abuses Microsoft Outlook to send fake emails to victims’ contacts.
As in the case of SORVEPOTEL, the WhatsApp worm retrieves a messaging template from the server and takes advantage of the open-source project WPPConnect to automate sending messages to other users while filtering groups, broadcasts and non-Brazilian numbers.
Outlook Agent, on the other hand, is an email spambot that abuses the victim’s installed Microsoft Outlook application to send phishing emails from the victim’s email address, thereby bypassing spam filters and giving the illusion of trust to the messages.
Elastic concluded, “TCLBANKER reflects the broader maturity taking place in the Brazilian banking trojan ecosystem.” “Techniques that were once the hallmark of more sophisticated threat actors: environment-gated payload decryption, direct syscall generation, real-time social engineering orchestration over WebSockets, are now being packaged into commodity crimeware.”
“The campaign inherited the trust and delivery of legitimate communications by hijacking victims’ WhatsApp sessions and Outlook accounts. This is a delivery model that traditional email gateways and reputation-based security are ill-equipped to catch.”
