top of page
Buscar

TCLBANKER: The Banker That Texts Your Contacts

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 12 may
  • 5 min de lectura

Brazilian banking trojans have long evolved beyond simple credential theft, but TCLBANKER marks a new stage in that evolution. Identified by Elastic Security Labs as part of the REF3076 activity cluster, the malware combines advanced anti-analysis techniques, banking fraud capabilities, remote access functionality, and self-propagating worm behavior into a single modular platform. What makes TCLBANKER especially dangerous is not only its ability to steal credentials from banking, fintech, and cryptocurrency platforms, but its capacity to weaponize the victim’s own trusted communication channels to expand infections at scale.

The campaign abuses legitimate software components, leverages DLL side-loading, hijacks WhatsApp Web sessions, and turns Microsoft Outlook into a phishing delivery platform. By sending malicious messages directly from the victim’s own accounts, the attackers inherit the trust relationships already established between users, bypassing many conventional reputation-based defenses and email security controls.

Unlike traditional banking malware focused purely on financial theft, TCLBANKER operates more like a complete cybercrime ecosystem. It combines credential harvesting, remote administration, social engineering overlays, persistence mechanisms, and automated propagation into a highly flexible malware framework capable of continuously evolving.


Phase 1: The Trojan Arrives Through Trusted Software 


The infection chain begins with a ZIP archive containing a malicious MSI installer. Rather than dropping obviously suspicious binaries, the operators abuse a signed Logitech application known as “Logi AI Prompt Builder.” This allows the malware to blend into legitimate software execution flows while reducing suspicion among users and security products.

The MSI installer performs DLL side-loading against the Logitech executable by placing a malicious DLL named “screen_retriever_plugin.dll” alongside the trusted application. When the legitimate executable launches, it inadvertently loads the attacker-controlled DLL, initiating the compromise chain while inheriting the trust associated with the signed binary.

This technique is particularly effective because many organizations still place excessive trust in signed applications without validating whether the surrounding DLLs or execution environment have been tampered with. The use of side-loading also helps the malware evade simplistic detection mechanisms that rely heavily on executable reputation or certificate validation.


Phase 2: Watching the Watchers 


Once executed, TCLBANKER deploys one of its most sophisticated features: an extensive anti-analysis and anti-detection subsystem. The malicious DLL continuously monitors for debugging environments, virtual machines, sandboxes, disassemblers, instrumentation frameworks, and endpoint security products.

The malware only executes correctly if it is loaded by expected process names such as “logiaipromptbuilder.exe,” preventing accidental exposure during analysis. It also removes usermode hooks inserted by security software into “ntdll.dll” and disables Event Tracing for Windows (ETW), significantly reducing visibility into malicious activity.

One of the most advanced mechanisms involves environment-based payload decryption. TCLBANKER generates several system fingerprints based on disk characteristics, virtualization checks, anti-debugging tests, and system language settings. Those fingerprints are combined into a unique environment hash that is required to decrypt the embedded payload correctly.

If analysts attempt to execute the malware inside a sandbox or debugging environment, the generated hash changes, causing decryption to fail and effectively rendering the malware inoperable. The campaign also specifically verifies whether the system language is Brazilian Portuguese, confirming its strong regional targeting focus.

This approach demonstrates how Brazilian banking malware has evolved from opportunistic credential stealers into highly mature crimeware platforms incorporating techniques previously associated with advanced persistent threat operations.


Phase 3: The Banker Inside the Browser 


After bypassing defensive checks, the malware deploys its primary banking trojan module and establishes persistence through scheduled tasks. TCLBANKER then contacts its command-and-control infrastructure via HTTP POST requests containing system profiling information.

The malware continuously monitors the active browser window using Windows UI Automation APIs to extract URLs directly from the browser address bar. Supported browsers include Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.

The extracted URLs are compared against a hard-coded list of targeted financial institutions, fintech services, and cryptocurrency platforms. Once a match is detected, the malware opens a WebSocket connection to its remote operators and enters a live command loop that enables dynamic interaction with the infected system.

Operators gain the ability to execute shell commands, capture screenshots, stream the victim’s screen in real time, manipulate clipboard contents, launch keyloggers, manage processes, transfer files, and remotely control the mouse and keyboard. This effectively transforms the infected machine into a remotely operated fraud terminal.

TCLBANKER also deploys highly convincing credential-harvesting overlays using a Windows Presentation Foundation (WPF)-based framework. Victims are shown fake login prompts, bogus verification requests, fraudulent progress bars, vishing waiting screens, and even counterfeit Windows Update messages designed to maintain user trust during fraudulent operations.

To further complicate forensic analysis, the malware hides these overlays from many screen-capture tools, limiting visibility for analysts and incident responders attempting to reconstruct the attack.


Phase 4: Turning Victims Into Distributors


The most distinctive aspect of TCLBANKER is its integrated worming capability. Rather than relying solely on phishing campaigns operated by attackers, the malware weaponizes the victim’s own communication platforms to distribute itself.

The WhatsApp propagation module hijacks authenticated WhatsApp Web browser sessions and uses the open-source WPPConnect framework to automate message delivery. The malware retrieves phishing templates directly from its infrastructure and sends malicious messages to the victim’s contacts while filtering out groups, broadcast lists, and non-Brazilian numbers.

Simultaneously, the Outlook propagation module abuses the locally installed Microsoft Outlook application to send phishing emails directly from the victim’s own mailbox. Because the emails originate from legitimate accounts with valid authentication histories, they bypass many traditional email filtering and reputation-based security controls.

According to Elastic, the malware can spam up to 3,000 contacts using the victim’s own accounts and trusted infrastructure. This dramatically increases infection credibility while making detection substantially harder for defensive systems.

Instead of attackers impersonating trusted users, TCLBANKER effectively transforms real users into involuntary phishing operators.


Phase 5: A Mature Banking Malware Ecosystem 


TCLBANKER highlights the growing sophistication of the Brazilian banking trojan landscape. Techniques such as environment-gated payload decryption, syscall manipulation, anti-analysis fingerprinting, real-time social engineering orchestration, and communication hijacking were once associated primarily with highly advanced threat actors.

Now, those same techniques are increasingly appearing inside financially motivated malware campaigns aimed at mass fraud operations.

The modular nature of TCLBANKER also suggests future expansion possibilities. Researchers identified debugging artifacts, testing process names, and incomplete phishing infrastructure, indicating the malware family is still actively evolving.

Future variants could incorporate additional propagation vectors, broader geographic targeting, improved evasion mechanisms, or expanded cryptocurrency theft capabilities.

Measures to Fend Off TCLBANKER 

  • Restrict DLL side-loading opportunities through application control policies.

  • Monitor MSI installer execution from ZIP archives and temporary directories.

  • Enforce multi-factor authentication across banking, email, and messaging services.

  • Monitor unusual Outlook automation behavior and mass outbound messaging activity.

  • Detect abnormal WhatsApp Web session activity and browser automation attempts.

  • Limit local administrator privileges on endpoints.

  • Harden browser protections and isolate financial browsing sessions where possible.

  • Deploy behavioral endpoint detection capable of identifying UI Automation abuse.

  • Monitor scheduled task creation and persistence-related registry modifications.

  • Regularly rotate credentials, tokens, and cloud secrets potentially exposed on compromised systems.

  • Train employees to recognize phishing attempts originating from known contacts.

  • Audit systems for unauthorized Logitech-related DLL activity and suspicious side-loading behavior.


Conclusion


TCLBANKER demonstrates how modern banking malware is no longer limited to stealing passwords or intercepting transactions. It represents a convergence of banking fraud, remote access tooling, social engineering, and worm-like propagation capabilities inside a single malware ecosystem.

By abusing trusted applications, evading analysis environments, hijacking legitimate communication channels, and weaponizing social trust itself, TCLBANKER significantly increases both infection effectiveness and operational stealth.

Perhaps the most concerning aspect is that the malware spreads not by pretending to be someone the victim trusts, but by becoming that trusted person digitally. Messages arrive from legitimate WhatsApp accounts and authentic Outlook mailboxes, making traditional indicators of phishing far less reliable.

As financially motivated cybercrime continues to mature, campaigns like TCLBANKER illustrate how modern malware increasingly operates as a self-sustaining infection network capable of exploiting trust, automation, and legitimate infrastructure simultaneously.



The Hacker News


 
 
 

Comentarios

bottom of page