TCLBANKER Malware: A New Threat Spreading via WhatsApp and Outlook
A sophisticated Brazilian banking trojan, known as TCLBANKER and tracked under campaign REF3076, has emerged as a significant cybersecurity threat. This malware represents a major evolution from earlier families like Maverick and SORVEPOTEL, distinguished by its innovative infection methods and self-propagating capabilities through platforms such as WhatsApp and Microsoft Outlook.
Infection Mechanism
The attack initiates when a user downloads a malicious ZIP file containing an installer that exploits a legitimate, digitally signed Logitech application called Logi AI Prompt Builder. By employing a technique known as DLL side-loading, the malware manipulates the authentic Logitech program to load a malicious DLL instead of its standard components. Once executed, this concealed loader gains control over the system, setting the stage for subsequent malicious activities.
Evasion Tactics
TCLBANKER is meticulously designed to evade detection by security researchers and automated analysis tools. Before fully activating, it conducts a series of checks to determine if it’s operating within a security sandbox. These checks include:
– Detecting debugging tools
– Identifying virtual machine environments
– Scanning for specific antivirus software
– Verifying system language and time zone settings to confirm the victim’s location in Brazil
If any of these conditions suggest a non-target environment, the malware halts its execution, thereby avoiding exposure to security defenses.
Operational Capabilities
Upon confirming it’s on a legitimate target machine, TCLBANKER activates its primary banking trojan functionalities. It continuously monitors the user’s web browsing activities, specifically targeting 59 banks, financial technology platforms, and cryptocurrency websites. When the user accesses one of these targeted sites, the malware establishes a connection with a remote command-and-control server.
To harvest sensitive information, TCLBANKER employs full-screen overlays crafted using Microsoft’s Windows Presentation Foundation. These overlays mimic legitimate banking interfaces or official Windows Update screens, effectively deceiving users into entering their security codes or personal identification numbers. The overlays are designed to:
– Cover the entire screen
– Disable keyboard shortcuts such as the Windows key or Escape
– Prevent screen-capture tools from recording the fraudulent activity
This method ensures that victims unwittingly provide their credentials directly to the attackers.
Self-Propagation via WhatsApp and Outlook
A particularly alarming feature of TCLBANKER is its ability to self-propagate through popular communication platforms:
– WhatsApp Web: The malware scans for active WhatsApp Web sessions in browsers like Chrome or Edge. It clones the session data, allowing it to send phishing messages and malicious files to the victim’s contacts without their knowledge. This method leverages the trust between the victim and their contacts, increasing the likelihood of further infections.
– Microsoft Outlook: TCLBANKER also targets Outlook by accessing the victim’s email contacts. It sends emails containing malicious attachments or links, facilitating the spread of the malware to additional systems.
Implications and Recommendations
The emergence of TCLBANKER underscores the evolving tactics of cybercriminals, who are increasingly exploiting trusted applications and communication platforms to distribute malware. Users are advised to exercise caution when downloading files from unknown sources and to be vigilant about unexpected messages or emails, even from known contacts.
To mitigate the risk of infection:
– Verify Sources: Always confirm the authenticity of software installers and avoid downloading from untrusted websites.
– Update Software: Keep all applications and operating systems up to date to benefit from the latest security patches.
– Use Security Tools: Employ reputable antivirus and anti-malware solutions that can detect and prevent such threats.
– Educate Users: Raise awareness about phishing tactics and the importance of scrutinizing unsolicited messages or emails.
By adopting these practices, individuals and organizations can enhance their defenses against sophisticated malware like TCLBANKER.
