TCLBANKER Banking Trojan Targets 59 Financial Platforms via WhatsApp and Outlook Worms

TL;DR Elastic Security Labs has identified TCLBANKER, a previously undocumented Brazilian banking trojan assessed as a major update to the Maverick malware family. The trojan targets 59 banking, fintech, and cryptocurrency platforms and spreads via WhatsApp Web and Microsoft Outlook worms. The attack chain uses DLL side-loading against a signed Logitech application and deploys anti-analysis mechanisms including environment-gated payload decryption and ETW telemetry disabling.

What happened

Threat hunters at Elastic Security Labs, tracking the activity under the identifier REF3076, have documented TCLBANKER, a banking trojan attributed to the Water Saci threat cluster (as named by Trend Micro). The malware is assessed to be a major update of the Maverick malware family, which previously leveraged the SORVEPOTEL worm to propagate via WhatsApp Web.

The infection chain begins with a malicious Microsoft Installer (MSI) file bundled inside a ZIP archive. The MSI package abuses a signed Logitech program called Logi AI Prompt Builder to achieve execution. The malware uses DLL side-loading to launch a malicious DLL named "screen_retriever_plugin.dll," which acts as a loader. Notably, the malicious DLL will only execute if loaded by either "logiaipromptbuilder.exe" or "tclloader.exe," a protective measure that limits execution to specific parent processes.

The loader incorporates extensive anti-analysis capabilities. It removes usermode hooks placed by endpoint security software within "ntdll.dll" by replacing the library and disables Event Tracing for Windows (ETW) telemetry. The malware generates fingerprints based on anti-debugging checks, anti-virtualization checks, system disk information checks, and language verification—specifically ensuring the user's default system language is Brazilian Portuguese. These fingerprints generate an environment hash used to decrypt the embedded payload; if analysis tools or debuggers are present, the hash becomes incorrect and the payload fails to decrypt.

Following validation that the system is running in Brazil, the trojan establishes persistence using a scheduled task and beacons to an external server with system information via HTTP POST. The malware includes a self-update mechanism and a URL monitor that uses UI Automation to extract the current URL from the foreground browser's address bar. This targets Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi. Extracted URLs are matched against a hard-coded list of targeted financial institutions; upon match, the trojan establishes a WebSocket connection to a remote server and enters a command dispatch loop.

The trojan's command capabilities include running shell commands, capturing screenshots, streaming screen content, manipulating the clipboard, launching keyloggers, remotely controlling mouse and keyboard, managing files and processes, enumerating running processes, and listing visible windows. To steal credentials and conduct social engineering, TCLBANKER deploys a Windows Presentation Foundation (WPF)-based full-screen overlay framework that displays credential harvesting prompts, vishing wait screens, bogus progress bars, and fake Windows Update notifications while hiding overlays from screen capture tools.

The loader also invokes a worming module for propagation. A WhatsApp Web worm hijacks authenticated browser sessions and uses the open-source project WPPConnect to automate message sending to other users, while filtering out groups, broadcasts, and non-Brazilian phone numbers. An Outlook email bot abuses the victim's installed Microsoft Outlook application to send phishing emails from the victim's email address, bypassing spam filters and imparting false legitimacy.

Why it matters

For SOC analysts and defenders in the MENA region and Brazil, TCLBANKER represents a significant escalation in the maturation of the Brazilian banking trojan ecosystem. According to Elastic, techniques once associated with sophisticated threat actors—environment-gated payload decryption, direct syscall generation, and real-time social engineering orchestration over WebSocket—are now embedded in commodity crimeware. This lowered barrier to entry increases the operational risk for financial institutions and their customers.

The trojan's dual propagation mechanism through WhatsApp Web and Outlook is particularly effective because it hijacks legitimate communications channels. Traditional email gateways and reputation-based defenses struggle to detect phishing messages sent from compromised user accounts, as the messages originate from trusted sender addresses. For developers and system administrators, this underscores the importance of endpoint detection and response (EDR) capabilities that can identify browser session hijacking, unauthorized Outlook module loading, and suspicious WPF overlay activity.

The targeting of 59 banking, fintech, and cryptocurrency platforms indicates a broad attack surface across the financial sector. The language and geographic checks suggest the operators are specifically interested in Brazilian victims, but the malware's modular design and command dispatch architecture allow for potential adaptation to other targets or geographic regions.

Affected systems and CVEs

Google Chrome
Mozilla Firefox
Microsoft Edge
Brave
Opera
Vivaldi
WhatsApp Web
Microsoft Outlook
Logitech Logi AI Prompt Builder
59 banking, fintech, and cryptocurrency platforms (specific platforms not detailed in source)

No CVE assigned at the time of publication.

What to do

The source article does not provide specific remediation steps or mitigations. However, operators should consider:

Monitoring for DLL side-loading attempts against signed third-party applications, particularly Logitech Logi AI Prompt Builder
Detecting unauthorized WPF overlay creation and full-screen window activity
Implementing browser URL extraction protections and monitoring for UI Automation abuse
Auditing Outlook for unauthorized email sending and plugin loading
Monitoring for ETW disabling and usermode hook removal from "ntdll.dll"
Tracking scheduled task creation for persistence mechanisms
Implementing language and environment checks in endpoint telemetry to identify evasion attempts

Open questions

No CVE identifiers have been assigned to TCLBANKER or its components.
No specific infection dates or campaign timeline has been disclosed.
The total number of compromised systems is not reported.
The source does not specify which 59 financial platforms are targeted.
No patch or remediation timeline from affected vendors (Logitech, browser vendors, Microsoft) has been mentioned.
The identities and operational motivations of Water Saci operators remain undisclosed.
Geographic distribution of active infections beyond Brazil is not detailed.