TCLBANKER: the bank threat that steals credentials from WhatsApp and Outlook through false screens and advanced evasion

A new actor in the long malware saga to Brazilian banking again shows that advanced techniques are no longer confined to sophisticated groups: researchers have identified TCLBANKER, a family of Trojans who, according to Elastic Security Labs, are being followed as REF3076 and which is an important evolution of the old Maverick and its SORVEPOTEL worm component. What is relevant is not only the ability to steal credentials or control remote machines, but the combination of technical evasion, back doors of persistence and a distribution model that exploits the confidence of legitimate communications..

In practice, the attack begins with an MSI installer packed in a ZIP and signed by a legitimate Logitech binary that is abused by DLL side-rolling. The malicious DLL acts as a charger with a surveillance system that detects analysers, sandboxes and debugging, eliminates security hooks on ntdll.dll and disables ETW telemetry to make it difficult for forensic analysis. In addition, the code generates several "footprints" of the environment - anti-virtualization controls, disk information and system language configuration - that serve to derive decipher keys from the payload only if the machine meets the requirements, in particular that the default language is Portuguese from Brazil.

The main component implements techniques already seen in more mature campaigns: a banking Trojan that monitors visible URLs in the browser via UI Automation, sets WebSocket connections to receive real-time orders and deploys WPF-based full-screen overlaps to supplant legitimate windows and capture credentials. These superpositions are designed to mute screen capture tools and combine real-time viewing and phishing tactics, which increases the risk of fraud even in the face of traditional antivirus solutions.

In parallel, the charger activates a worm module that propagates the infection by two vectors: sequestrates WhatsApp Web sessions to send messages to selected contacts (filtering groups and numbers outside Brazil and reusing frameworks such as WPPConnect to automate the shipment) and abuses Microsoft Outlook installed on the victim machine to send phishing emails from the user's legitimate address. The result is a highly effective dissemination that takes advantage of confidence in personal and corporate communications.

The implications are clear: Defenses based exclusively on sender reputation or static signatures are no longer sufficient. A message that comes out of the victim's own Outlook or from his authenticated WhatsApp session can evade filters and generate a wave of infections between trusted contacts. In addition, the practice of "dating" by language and environment reduces visibility in global research and concentrates damage on lucrative objectives, such as banks and fintech platforms in Brazil.

For end users the immediate recommendation is to exercise caution: do not run MSI or installers received by mail or messaging without checking the source, close WhatsApp Web sessions when not used and activate the verification in two steps where possible. For organizations, the response should be multidimensional: strengthen application control and allowlisting, monitor the creation of scheduled tasks and abnormal process activities signed by third parties that load unusual bookstores, and adjust EDR rules to detect offensive behavior (ETW deactivation, ntdll.dll handling, UI Automation use to read address bars, persistent WebSocket connections to suspicious domains).

In addition, it is critical to harden the mail environment: apply strong authentication (MFA) to accounts, use restricted shipping policies and monitor unusual shipping patterns from internal accounts that might indicate abuse by a local spambot. Training in recognition of overpositions and vishing signals increases user resilience to false screens and messages that simulate support or updates.

The collective defenses also matter: response teams and SOCs must share indicators and look for specific signals such as processes called logiaipropptbuilder.exe, the presence of programmed tasks with unusual names, processes that interact massively with the user interface and WebSocket traffic outgoing to newly created infrastructures. To better understand the tools that this malware reuses, you can see the WPPConnect project in GitHub https: / / github.com / wppconnect-team / wppconnect and to understand how you can abuse and mitigate the removal of telemetry and tracing in Windows it is appropriate to review the documentation of Event Tracing for Windows (ETW) in Microsoft https: / / learn.microsoft.com / en-us / windows / win32 / etw / about-event-tracing. For the human aspect of deception, OWASP's social engineering resources are useful as an educational reference https: / / owasp.org / www-community / Social _ Engineering.

In short, TCLBANKER demonstrates the maturity and commercialization of capacities that were previously distinctive of higher level actors: environment-conditioned encryption, advanced evasion and a model of spread that monetize interpersonal trust. The response must combine technology, processes and education so that the combination of authenticated sessions, messaging applications and mail customers does not become the channel for expanding the next wave of bank fraud.