![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWchpptUYeW4vXSUXfGq-uMzB1mr_dzsvX8XIWssIKzaWa4_eYbaLwec5Zos3xCoD0s8-LDcGI7Vj8DjFq6RtUY68HP21YudHYdsFS2xdyzQE7OPyuTlqyO2X9uwlSCRuVl9tAUwq0mvGuXlYkxjdmC7ynyAcIDpbejkR45ucf_L3VCDupSZMteOby7BUp/s1600/banking.jpg\")
A new Brazilian banking trojan called TCLBANKER has been discovered by threat hunters, capable of targeting 59 banking, fintech, and cryptocurrency platforms.
Referred to as REF3076 by Elastic Security Labs, this malware is believed to be an advanced version of the Maverick trojan. Maverick is known for using a worm called SORVEPOTEL to spread through WhatsApp Web to a victim’s contacts and is associated with a threat cluster known as Water Saci by Trend Micro.
The attack chain of TCLBANKER involves a loader with strong anti-analysis capabilities that deploys two modules: a banking trojan and a worm component that spreads via WhatsApp and Microsoft Outlook.
Security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus explained that the malware abuses a signed Logitech program to deliver a malicious MSI installer. This installer contains a DLL that acts as a loader with anti-detection features.
The malicious DLL only executes under specific conditions to evade detection, removing any usermode hooks and disabling telemetry. It also generates fingerprints to decrypt the payload based on system checks, ensuring it runs on a Brazilian system.
After establishing persistence, TCLBANKER communicates with an external server, incorporates a self-update mechanism, and monitors URLs to target financial institutions. It allows the operator to run various tasks remotely, including capturing screenshots and managing files.
To steal data, TCLBANKER uses a full-screen overlay framework for social engineering and credential harvesting. Additionally, it spreads through spam and phishing messages via WhatsApp Web and Microsoft Outlook.
Elastic noted that TCLBANKER represents a shift in Brazilian banking trojan tactics, incorporating advanced techniques like real-time social engineering and payload decryption. This sophisticated malware bypasses traditional defenses by leveraging victims’ WhatsApp and email accounts.
This development signals a new era in Brazilian banking trojans, merging sophisticated tactics with commodity crimeware to enhance effectiveness and evade detection.
