TCLBANKER: Banking Trojan Spreads via WhatsApp
- emanuelbatista4
- 5 days ago
- 4 min read
The ICS Labs CTI team has identified a new active Brazilian banking malware campaign named TCLBANKER, tracked as REF3076. This threat represents a significant evolution in the LATAM banking trojan ecosystem, incorporating:
advanced evasion techniques;
environment‑conditioned execution;
worm modules for automatic propagation;
WPF overlays for real‑time social engineering;
abuse of authenticated WhatsApp Web and Microsoft Outlook sessions.
The malware is distributed through a trojanized MSI installer of Logitech Logi AI Prompt Builder, leveraging DLL sideloading for malicious execution.
The campaign explicitly targets Brazilian users and monitors access to financial institutions, fintechs, and cryptocurrency exchanges.
Observed Capabilities
TCLBANKER features high‑impact operational capabilities:
theft of banking credentials;
capture of PINs and authentication codes;
social engineering via fullscreen overlays;
blocking of user interaction;
screen‑capture evasion;
automatic propagation via WhatsApp Web and Microsoft Outlook;
persistent communication via WebSocket C2;
automatic payload updates;
advanced anti‑analysis and anti‑debugging techniques.
Infection Vector
The observed infection chain consists of:
ZIP archive containing a malicious MSI;
installation of a trojanized version of Logi AI Prompt Builder;
DLL sideloading of screen_retriever_plugin.dll;
execution of the loader;
conditional decryption of the payload;
initialization of the Banker and Worm modules.
Evasion Techniques
The malware implements multiple anti‑analysis techniques:
ETW patching;
removal of hooks from ntdll.dll;
direct syscalls;
detection of VMware, VirtualBox, QEMU, debuggers, and tools such as x64dbg, IDA, dnSpy, Frida, and Process Hacker;
validation of pt‑BR language, Brazilian GeoID, RAM size, disk size, and CPU count.
The payload is only decrypted correctly in environments deemed “valid,” hindering sandboxing and automated analysis.
Banking Functionality
The banking module continuously monitors URLs accessed in browsers such as:
Chrome;
Edge;
Brave;
Opera;
Firefox;
Vivaldi.
When access to one of the 59 targeted Brazilian financial domains is detected, the malware:
establishes a WebSocket connection to the C2;
initiates a fraudulent session;
activates malicious overlays.
Overlays and Social Engineering
One of TCLBANKER’s most sophisticated components is its WPF‑based social engineering framework, used to visually manipulate victims during banking sessions. The malware creates borderless fullscreen windows that are always on top and hidden from the taskbar, perfectly simulating legitimate operating system or financial institution interfaces.
To enhance realism, it captures screenshots of the victim’s desktop and uses them as the overlay background, creating the illusion that the system is functioning normally.
Additionally, the malware prevents users from closing malicious windows by blocking shortcuts such as Alt+F4, the Windows key, Ctrl+Esc, PrintScreen, and navigation combinations. It also uses the SetWindowDisplayAffinity API to hide overlays from screen‑capture tools, allowing operators to remotely observe victim activity without the fraudulent interface appearing in recordings or screenshots.
Overlays can assume different formats depending on the attacker’s operation. Identified modes include fake Windows update screens, banking credential prompts, simulated security processing screens, and waiting screens for fraudulent phone calls.
In some scenarios, the malware creates transparent “cut‑outs” within the overlay, allowing victims to interact with legitimate applications while remaining surrounded by a deceptive interface controlled by the operator. The goal is to increase victim trust and facilitate the collection of credentials, PINs, authentication codes, and other sensitive information during active banking sessions.
Worm Propagation
Beyond the primary banking module, TCLBANKER incorporates worm‑like functionality designed for automated propagation through the victim’s own trusted communication channels. Two distinct modules were identified: one targeting WhatsApp Web and another targeting Microsoft Outlook.
The WhatsApp Web module searches for authenticated profiles in Chromium‑based browsers such as Chrome, Edge, Brave, Opera, and Vivaldi. After locating valid sessions, the malware clones critical browser profile components—such as IndexedDB, Local Storage, cookies, and session data—allowing WhatsApp Web authentication to be restored without requiring a QR code.
It then uses Selenium WebDriver and JavaScript automation to control the browser, bypass bot‑detection mechanisms, and access the victim’s contact list. Once session takeover is complete, the malware sends mass messages to Brazilian contacts using the victim’s own account, significantly increasing campaign credibility.
The malicious payload is retrieved directly from attacker infrastructure and distributed without permanently writing files to disk, complicating detection by traditional security solutions.
The Outlook module uses COM automation to directly interact with Microsoft Outlook installed on the compromised system. The malware collects contacts from address books and recent email senders, creating lists of potential targets with a higher likelihood of engagement. Phishing messages are then sent using the victim’s legitimate email account, reducing spam‑filter blocking and improving delivery rates.
These mechanisms illustrate a major shift in the LATAM banking trojan ecosystem toward self‑propagating threats that leverage trusted channels and real authenticated sessions, making future campaigns more scalable and harder to contain.
Recommendations
Immediate priority should be given to containment and investigation of potential TCLBANKER infections, particularly in corporate environments with extensive use of Chromium‑based browsers, Microsoft Outlook, and WhatsApp Web.
Because the malware leverages DLL sideloading via legitimate Logitech applications, it is critical to monitor unusual executions of LogiAiPromptBuilder.exe, especially when accompanied by the loading of screen_retriever_plugin.dll from temporary directories or non‑standard application paths.
Endpoint hunting is recommended for indicators such as suspicious scheduled task creation, persistent WebSocket connections to campaign‑related domains, execution of ChromeDriver or Selenium within %TEMP% directories, and events related to UI Automation or fullscreen WPF window creation—techniques used by the malware to implement banking overlays and social engineering.
Since TCLBANKER hijacks authenticated WhatsApp Web and Outlook sessions, potentially affected users should immediately revoke active browser and email sessions, reset corporate credentials, and review recent messaging and email‑sending activity. In enterprise environments, authentication logs and account behavior should be reviewed for signs of lateral phishing propagation.
From a preventive standpoint, organizations should strengthen controls against untrusted MSI execution, restrict DLL sideloading techniques, and expand monitoring for ntdll.dll modifications, ETW tampering, and direct syscall creation—behaviors commonly associated with advanced malware. Implementing ASR rules, behavior‑based EDR protection, and phishing‑resistant MFA can significantly reduce the impact of such threats.
Finally, given that the identified infrastructure still appears to be in an early expansion phase, continuous monitoring for new campaign‑related domains is recommended—particularly pages hosted on services such as Cloudflare Workers and Cloudflare Pages—along with frequent updates to IOC blocking across firewall, proxy, and DNS controls.
Sources:
Comments