TCLBANKER targets 59 banks, crypto firms via WhatsApp, Outlook

Security researchers at Elastic Security Labs identified a previously undocumented Brazilian banking trojan called TCLBANKER that targets 59 banking, fintech and cryptocurrency platforms and spreads through WhatsApp Web and Microsoft Outlook. Elastic is tracking the activity as REF3076 and assesses the malware as a major update to the Maverick family. The campaign is linked to a threat cluster known as Water Saci.

The infection starts with a ZIP file containing a malicious MSI installer. The MSI abuses a signed Logitech application called Logi AI Prompt Builder to achieve DLL sideloading. Researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin and Terrance DeJesus described a sideloaded DLL named screen_retriever_plugin.dll that acts as a loader and includes a persistent watchdog that looks for analysis tools and endpoint instrumentation.

The loader runs only when loaded by the legitimate logiaipromptbuilder.exe or an apparent test executable, tclloader.exe. It removes usermode hooks placed in ntdll.dll and disables Event Tracing for Windows telemetry. Before decrypting its embedded payload, the malware computes an environment hash from three fingerprints: anti-debug and anti-virtualization checks, system disk information, and the system language. The payload will not decrypt and the malware will stop if any check fails. The language check requires Brazilian Portuguese.

After decryption, the main trojan verifies the Brazilian system environment again, establishes persistence by creating a scheduled task, and sends an HTTP POST beacon with basic system information to a remote server. The malware includes a self-update mechanism and a URL-monitoring feature that uses UI Automation to read the address bar from foreground browsers including Chrome, Firefox, Edge, Brave, Opera and Vivaldi.

When the monitored URL matches a hard-coded list of targeted financial or crypto sites, TCLBANKER opens a WebSocket connection to a command-and-control server and enters a command loop. Operators can run shell commands, capture screenshots, start and stop screen streaming, manipulate the clipboard, deploy a keylogger, control the mouse and keyboard remotely, manage files and processes, and display full-screen overlays that mimic login prompts or system dialogs.

The trojan uses a Windows Presentation Foundation full-screen overlay framework to present credential prompts, vishing wait screens, fake progress bars and bogus Windows Update screens. The overlays are designed to avoid screen-capture defenses and to harvest credentials or trick users into sharing sensitive information.

The loader also activates a worming module that spreads the malware through two channels. A WhatsApp Web worm hijacks authenticated browser sessions and uses the open-source WPPConnect project to automatically send server-provided message templates to contacts while filtering out groups, broadcasts and non-Brazilian numbers. An Outlook agent abuses the victim’s installed Outlook application to send phishing emails from the victim’s address, increasing delivery and perceived trust while bypassing some spam filters.

Elastic wrote that “these MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder” and that “TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem.” Researchers noted that the combination of environment-gated payload decryption, anti-analysis measures, real-time social-engineering control via WebSocket and the use of hijacked WhatsApp and Outlook accounts complicates detection for traditional email and reputation-based defenses.