Title: The Evasive Threat of the TCLBANKER Banking Trojan
In a significant development in cybercrime, a sophisticated Brazilian banking trojan known as TCLBANKER has been unveiled. This malware employs advanced techniques to infiltrate targets, facilitated by a trojanized Logitech installer. Once inside, it exhibits the capability to hijack users’ WhatsApp and Outlook accounts, thereby disseminating itself further among potential victims.
The campaign associated with this malware, referred to as REF3076, leverages a deceptive method of delivery. TCLBANKER is packaged within a malicious MSI installer that is compressed in a ZIP file. Intriguingly, this installer takes advantage of a signed Logitech application called the Logi AI Prompt Builder, utilizing a DLL sideloading technique. By masquerading as a legitimate plugin, the malicious DLL named screen_retriever_plugin.dll is automatically executed when the host application starts. Upon execution, two embedded payloads are implemented: one containing the full banking trojan module, while the other functions as a worm for self-replication.
Moreover, TCLBANKER’s stealth mechanisms amplify its threat level. An environment-dependent payload-decryption mechanism enables the trojan to ascertain the nature of its surroundings by creating a unique fingerprint based on anti-debugging checks, hardware specifications, and language settings. If the malware identifies that it is being run in a sandbox or a vulnerability analysis environment, the payload fails to decrypt, and the malware execution terminates silently, thereby eluding detection.
Adding another layer of complexity, TCLBANKER disables user-mode ETW telemetry by altering the EtwEventWrite instruction, a tactic that obfuscates its activities from potential security measures. This diminutive yet powerful trojan operates a comprehensive watchdog subsystem throughout its lifecycle, targeting various analysis tools such as x64dbg, Ghidra, and Process Hacker. If any of these tools are detected, TCLBANKER promptly ceases operation, ensuring that its malicious activities remain concealed.
The banking module of TCLBANKER specifically targets Brazilian victims. It employs a robust geofencing mechanism that necessitates at least two checks to verify that the geographical indicators match Brazil, integrating aspects like region codes, time zones, locale settings, and keyboard layouts. Once these conditions are met, the malware activates a monitoring system that scrutinizes the active address bar of browsers such as Chrome, Firefox, Edge, and others. Every second, the trojan checks the URL against an encrypted repository of 59 banking, fintech, and cryptocurrency domains pertinent to Brazil. Upon identifying a match, it establishes a WebSocket communication channel, granting the operators total remote control over the compromised system.
One of TCLBANKER’s most alarming features is its full-screen overlay capability. This function creates a borderless window across the victim’s screens, effectively disabling their ability to close any applications until the operator decides otherwise. This overlay is fortified against detection, rendering it invisible to common screen-capture tools, which prevents victims from seeking help through screenshots. Notably, it incorporates user interface modules that facilitate credential harvesting, including prompts masquerading as legitimate Brazilian phone number verifications, fake Windows Update progress notifications, and vishing wait screens that keep victims engaged while fraudsters mount a direct attack.
Additionally, the second payload, identified as Tcl.WppBot, serves as a dual-channel spam worm targeting WhatsApp. This bot meticulously scans installed Chromium-based browsers for any active WhatsApp Web sessions by examining the application’s LevelDB or IndexedDB directories. It operates surreptitiously, cloning the profile into a temporary directory and launching a headless instance of Chromium to inject scripts that harvest contacts and send out phishing messages, including the TCLBANKER installer, to all Brazilian contacts without alerting the victim.
Simultaneously, the Outlook bot establishes a connection with the victim’s Microsoft Outlook via COM interop, collecting email contacts and sending phishing emails from the victim’s own account. These emails, titled “NFe disponível para impressão” (Electronic Invoice Available for Printing), guide recipients to a fraudulent domain that mimics a legitimate Brazilian ERP platform, thus increasing the likelihood of bypassing email security systems.
The infrastructure supporting TCLBANKER’s command and control (C2) mechanisms is ingeniously organized under a specific Cloudflare Workers account. This arrangement allows for rapid rotations of the operational infrastructure, enhancing the resilience of the attackers. Investigators have discovered several development artifacts, including debug logs and incomplete phishing sites, indicating that the REF3076 campaign may still be in its nascent stages, with a potentially expanding operational scope on the horizon.
Research indicates links between TCLBANKER and earlier malware families such as MAVERICK/SORVEPOTEL, attributable to overlapping infrastructure and code patterns. This connection raises fundamental concerns within the cybersecurity community, highlighting the evolving complexity and sophistication of banking malware.
As experts continue to study TCLBANKER, the overarching message is clear: vigilance and enhanced security measures are imperative for protecting sensitive information against increasingly sophisticated cyber threats. In a digital landscape where such advanced malware proliferates, the importance of staying informed about potential vulnerabilities cannot be overstated.