[Threat Intel] TCLBANKER: The new banking trojan abusing Logitech, WhatsApp, and Outlook
Hey guys, I was reading the latest report from Elastic Security Labs on a new Brazilian banking trojan (dubbed TCLBANKER or REF3076) and it features some pretty neat technical stuff that I think is worth discussing. It's basically the evolution of Maverick (or Water Saci, as Trend Micro calls it).
I put together a recap because the way it evades defenses and propagates is a major headache for anyone doing detection:
1. Infection Chain & Evasion
- The malware starts with an MSI installer inside a ZIP file that abuses a legitimate, signed Logitech program ("Logi AI Prompt Builder") via DLL side-loading.
- The loader performs heavy checks: it looks for debuggers, VMs, analysis tools, and disables Windows ETW telemetry.
- The real gem: It creates an environment hash based on these checks and the system language (which must be Brazilian Portuguese). If a debugger is active, the hash is incorrect and the payload won't decrypt at all. Super smart.
2. Data Theft and C2
- It monitors the URLs of major browsers (Chrome, Edge, Firefox, etc.) using UI Automation.
- When the victim lands on one of the 59 target platforms (banks, crypto, etc.), it opens a WebSocket connection with the C2 server and launches everything: keylogger, shell, fake Windows update pop-ups, and WPF overlays to steal credentials (all while hiding from screen capture tools).
3. Propagation (The worm component)
- WhatsApp Web: It hijacks the authenticated browser session and uses the open-source project WPPConnect to automatically spam messages to contacts.
- Outlook: It abuses the Microsoft Outlook client installed on the PC to send phishing emails directly from the victim's address. Since they originate from a legit account, they easily bypass antispam filters.
Discussion: Elastic points out that techniques like these (environment-gated payload, direct syscalls, social engineering via WebSocket) used to be the exclusive domain of top-tier APTs, while now they are becoming commodity crimeware accessible to many.
What do you think of this shift? And more importantly, how are you mitigating a propagation in your networks that exploits already authenticated and legitimate WhatsApp sessions and Outlook clients?
(P.S. I'll drop the link to the original article in the comments!)