TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that’s capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076. The malware family is assessed to be a major update of the Maverick, which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim’s contacts. The Maverick campaign is attributed to a threat cluster that Trend Micro calls Water Saci. At the core of the attack chain is a loader with robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component that uses WhatsApp and Microsoft Outlook for propagation. “The observed infection chain bundles a malicious MSI installer inside a ZIP file,” security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus said. “These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.” The malware leverages DLL side-loading against the application to launch a malicious DLL (“screen_retriever_plugin.dll”), which functions as a loader with a “comprehensive watchdog subsystem” that continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep
Read More