Fifty-nine banking, fintech, and cryptocurrency platforms are listed as TCLBanker’s targets, according to researchers who discovered the trojan’s installer and worm modules.
How TCLBanker arrives: a trojanized Logitech AI Prompt Builder installer
Elastic Security Labs identified TCLBanker after finding a trojanized MSI installer for "Logitech AI Prompt Builder." The malicious payload loads inside the context of the legitimate Logitech application via DLL side-loading, a technique that allows the malware to execute without triggering obvious alerts from host-based security products.
The researchers describe the loader as feature-rich but not deeply novel, noting code artifacts that indicate AI may have been used in parts of its development. Elastic also links TCLBanker to the Maverick/Sorvepotel family, calling it a major evolution of those LATAM-focused banking trojans.
Anti-analysis, persistence, and stealth
TCLBanker includes multiple layers designed to frustrate analysis and to remain active on infected systems. Elastic warns that the trojan uses environment-dependent payload decryption routines that are intended to fail in sandboxes or analyst environments. It runs a persistent watchdog thread that continuously hunts for analysis and debugging tools, specifically naming x64dbg, IDA, dnSpy, Frida, ProcessHacker, Ghidra, de4dot, and others.
Because the malware executes within the signed Logitech process space through DLL side-loading, many host defenses that rely on application context may not flag the activity as readily as they would a standalone malicious binary.
From browser monitoring to live remote control and overlay fraud
The banking module monitors the browser address bar every second using Windows UI Automation APIs and watches for when a victim opens a website from its list of 59 targeted platforms. When a match occurs, TCLBanker establishes a WebSocket session with its command-and-control (C2), sends victim and system information, and enables remote-control operations for operators.
Elastic lists operator capabilities that include live screen streaming, screenshot capture, keylogging, clipboard hijacking, shell command execution, window management, file-system access, process enumeration, and remote mouse/keyboard control. During active operator sessions, the malware kills the Task Manager process to prevent the victim from interrupting or seeing the malicious activity.
To steal credentials and push victims to act, TCLBanker employs a WPF-based overlay system that can present fake credential prompts, PIN keypads, phone-number collection forms, “bank support” waiting screens, fake Windows Update screens, and assorted progress screens. The trojan also uses “cutout” overlays that leave only selected portions of real applications visible while masking others to hide malicious interface elements.
Self-spreading worm modules: WhatsApp and Outlook abused
TCLBanker contains autonomous propagation code that targets contacts linked to the infected user. For WhatsApp, the malware searches Chromium browser profiles for authenticated WhatsApp Web IndexedDB data, launches a hidden Chromium instance that hijacks the victim’s account, harvests contacts, filters for Brazilian numbers, and sends spam messages from the victim’s account directing recipients to TCLBanker distribution platforms.
Separately, a worm module abuses Microsoft Outlook through COM automation: it launches Outlook, harvests contacts and sender addresses, and sends phishing emails through the victim’s account. Elastic highlights these modules as notable because they allow TCLBanker to propagate using the victim’s own communications channels rather than relying solely on external mailing lists or purchased traffic.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Expect a multi-stage infection that leverages signed applications and in-process DLL side-loading; monitor for unusual WebSocket activity from browser processes, frequent UI Automation calls, and processes that repeatedly attempt to kill Task Manager or inject overlays. Be aware the malware is engineered to fail in sandboxes and to hunt analysis tools.
- Enterprises and procurement leaders: The initial vector — a trojanized MSI posing as a vendor-supplied tool — underscores supply-chain risk and the need for verification of installer integrity and strict application allowlisting, particularly for third-party tooling tied to user productivity.
- End users and operational staff: Because TCLBanker can send messages and emails from an infected user’s own WhatsApp and Outlook accounts, credential theft and propagation may appear to come from friends or colleagues. Users in Brazil should be especially vigilant given the malware’s locale checks; organizations should warn personnel about unsolicited messages even when they appear to originate from known contacts.
Elastic notes TCLBanker currently appears focused on Brazil — checking timezone, keyboard layout, and locale — but warns LATAM malware has previously been broadened to wider targets, so the strain’s present geographic focus does not rule out expansion. The combination of DLL side-loading, active remote-control features, sophisticated overlays, and autonomous propagation marks TCLBanker as a significant step in the evolution of LATAM banking malware.
Read the original analysis: https://www.bleepingcomputer.com/news/security/new-tclbanker-malware-self-spreads-over-whatsapp-and-outlook/
