TCLBanker: the banking Trojan that spreads as a worm through WhatsApp Web and Outlook

Elastic Security Labs researchers reported the emergence of a new banking Trojan, called TCLBanker, which is distributed by an MSI handmade installer that passes through the tool "Logitech AI Prompt Builder." Instead of a crude attack, malware takes advantage of legitimate execution of vulnerable application to load your malicious code by DLL side-rolling, a technique that allows you to operate within the context of a reliable process and evade many conventional detections.

In addition to the classic capabilities of a trojan banking - capturing credentials by graphic overlay (WPF overlay), key registration, clipboard theft and remote screen and mouse control - TCLBanker incorporates propagation modules that make it a worm: it exploits active WhatsApp Web sessions detected in Chromium profiles to kidnap the account and send spam messages to filtered phone-format contacts, and abuses Microsoft Outlook by automation COM to send phishing emails from the victim's tray. These capabilities allow the campaign to self-spread quickly through contact networks.

malware operators get a wide set of features on the compromised machine, from live screen transmission up to remote execution of commands and window handling to display false forms - for example, PIN keyboards or "bank support" screens - carefully designed to deceive the user. To protect yourself from analysis, the Trojan uses environment-dependent decryption routines and a watchful thread that seeks inverse engineering tools and frameworks, making it difficult to study in sandboxes and forensic environments.

The initial scope reported by Elastic points to 59 financial and cryptographic platforms, with a current focus in Brazil (time zone verification, keyboard distribution and local). However, the history of Latin American malware families shows that authors often expand targets over time, so the risk of regional or international expansion is real. The use of supposedly legitimate installers and phishing shipping automation make TCLBanker an example of how increasingly accessible and modular tools increase the danger even for less sophisticated attackers.

For users and administrators the first line of defence is preventive: do not install software from unverified sources and always download from official supplier sites. Verify digital installer signatures, validate hash published by the manufacturer and avoid MSI files of doubtful origins reduces the initial execution probability. In corporate teams, apply application control policies such as AppLocker or whitelisting systems slows down the execution of unauthorized binaries.

Strengthening critical accounts with multifactor authentication phishing resistant (e.g., FIDO2 tokens or physical keys) limits the damage even if the credentials are captured. To protect WhatsApp it is recommended to activate verification in two steps within the application and close active sessions in browsers when not used; for mail, enable MFA, review DKIM / DMARC / SPF signatures and restrict unnecessary automations in Outlook by group policies.

From an operational and detection perspective, it is appropriate to monitor anomalous behaviors more than just signatures: legitimate processes that load DLs from unusual routes, Chromium hidden instances that interact with IndexedDB, processes that end the Task Manager, unusual WebSocket connections or the appearance of WPF windows that request credentials outside the usual channels. Organizations must deploy EDR with child process visibility and rules to alert about COM automations that launch Outlook with strange parameters.

Banks and financial service providers should also strengthen backend controls: detect atypical access and transaction patterns, require multi-channel re-verification for sensitive operations and educate customers on fraud signals - for example, PIN requests or emerging screen codes - that should never be introduced into unofficial windows. Collaboration between financial institutions, CERTs and the security community is essential to share indicators and block malicious domains or infrastructure quickly.

For those who want to deepen, the original technical report provides details on MOs, indicators and traces that serve mitigation: Elastic Security Labs Report on TCLBanker. For practical guides and hardening measures against malware in general, the recommendations of the American national cyber security agency offer applicable controls in business and personal environments: CISA - Malware.

In short, TCLBanker exemplifies how the combination of avoidance techniques, abuse of legitimate applications and self-propelling options make a malicious kit a multiplier threat. The best defense combines prevention in the installation chain, strengthening authentication, endpoint controls and behavior-based detection to identify and contain infections before they spread through networks and organizational systems.