Threat hunters flagged a previously undocumented Brazilian banking Trojan called TCLBANKER. This Trojan can target 59 banking, fintech, and cryptocurrency platforms.
This activity is tracked by Elastic Security Labs under the name REF3076. This malware family is rated as a major update to Maverick and is known to utilize a worm called SORVEPOTEL to spread to victims’ contacts via WhatsApp Web. The Maverick campaign is believed to be caused by a threat cluster that Trend Micro calls Water Saci.
At the core of the attack chain is a loader with powerful anti-analytics capabilities that deploys two built-in modules: a full-featured banking Trojan and a worm component that uses WhatsApp and Microsoft Outlook for propagation.
“The observed infection chain bundles a malicious MSI installer within a ZIP file,” said security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus. “These MSI installer packages exploit a signed Logitech program called Logi AI Prompt Builder.”
The malware utilizes DLL sideloading to the application to launch a malicious DLL (‘screen_retriever_plugin.dll’). This DLL acts as a loader with a “comprehensive watchdog subsystem” that continuously monitors analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to evade detection.
Specifically, the malicious DLL will only run when loaded by “logiaipromptbuilder.exe” (a Logitech program) or “tclloader.exe” (presumably a reference to the executable used during testing). Replacing the library also removes any user-mode hooks placed in “ntdll.dll” by the endpoint security software and disables Event Tracing for Windows (ETW) telemetry.
Additionally, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information check, and language check and uses them to create an environment hash value that is used to decrypt the embedded payload. A system language check verifies that the user’s default language is Brazilian Portuguese.
“For example, the presence of a debugger will generate an incorrect hash, so when malware attempts to derive a decryption key from the hash, the payload will not be decrypted correctly and TCLBANKER will stop executing,” Elastic explained.
The main component launched after these checks is the banking trojan, which again checks if it is running on the Brazilian system and proceeds to establish persistence using a scheduled task. It then sends a beacon to an external server with an HTTP POST request containing basic system information.
TCLBANKER also includes a self-updating mechanism and a URL monitor that uses UI Automation to extract the current URL from the foreground browser’s address bar. This step is for popular browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.
The extracted URL is matched against a hard-coded list of targeted financial institutions. If there is a match, a WebSocket connection to the remote server is established and a command dispatch loop is entered, allowing the operator to perform a wide range of tasks.
Execute shell commands Capture screenshots Start/stop screen streaming Manipulate the clipboard Launch keylogger Remote control of mouse/keyboard Manage files and processes Enumerate running processes List visible windows Provide overlays to steal fake credentials
To carry out data theft, TCLBANKER leverages a full-screen overlay framework based on Windows Presentation Foundation (WPF) to perform social engineering using credential capture prompts, displayed idle screens, fake progress bars, and fake Windows Updates, while hiding the overlay from screen capture tools.
In parallel, the loader calls a warming module to propagate the Trojan at scale through spam and phishing messages. The attack employs two approaches: a WhatsApp web worm that hijacks authenticated browser sessions, and an Outlook email bot that exploits Microsoft Outlook to send fake emails to victim contacts.
As with SORVEPOTEL, the WhatsApp worm retrieves messaging templates from servers and leverages the open source project WPPConnect to automate sending messages to other users while filtering out groups, broadcasts, and non-Brazilian numbers.
Outlook agents, on the other hand, are email spambots that exploit the victim’s installed Microsoft Outlook application to send phishing emails from the victim’s email address, bypassing spam filters and lending credibility to the message.
“TCLBANKER reflects the broader maturation occurring across the Brazilian banking Trojan ecosystem,” Elastic concluded. “Techniques that were once hallmarks of more advanced threat actors, such as environment-gated payload decryption, direct system call generation, and real-time social engineering orchestration over WebSockets, are now packaged into general-purpose crimeware.”
“This campaign takes over the authenticity and deliverability of legitimate communications by hijacking victims’ WhatsApp sessions and Outlook accounts, a distribution model that cannot be captured by traditional email gateways or reputation-based defenses.”
Source link
