A classy Brazilian banking trojan named TCLBANKER, deployed by way of a trojanized Logitech installer and able to hijacking victims’ WhatsApp and Outlook accounts to unfold itself to new targets.
The marketing campaign, tracked as REF3076, delivers TCLBANKER by way of a malicious MSI installer bundled inside a ZIP file. The installer abuses a signed Logitech software, Logi AI Immediate Builder, by way of a DLL sideloading method.
A malicious DLL named screen_retriever_plugin.dll masquerades as a reputable Flutter plugin and is mechanically loaded when the Logitech host software begins. As soon as loaded, two embedded .NET Reactor-protected payloads are deployed, a full banking trojan module and a worm module for self-propagation.
TCLBANKER Malware Leverages WhatsApp and Outlook
What makes TCLBANKER notably evasive is its environment-dependent payload-decryption mechanism. The loader generates a three-part setting fingerprint based mostly on anti-debugging checks, system {hardware} data, and language settings.
If the system is recognized as a sandbox or evaluation setting, the payload fails to decrypt, and execution stops silently.
The malware turns off user-mode ETW telemetry by patching EtwEventWrite with a basic xor eax, eax; ret instruction, and generates direct syscall trampolines to bypass safety hooks, as reported by Elastic.
A complete watchdog subsystem runs all through all the an infection lifecycle, actively scanning for over a dozen evaluation instruments, together with x64dbg, Ghidra, dnSpy, IDA Professional, Course of Hacker, Frida, and CheatEngine. If any of those instruments are detected, the malware terminates execution instantly.
The banking module targets solely Brazilian victims and requires at the very least 2 geofencing checks to match Brazil, together with area code, time zone, system locale, and keyboard structure.
Each second, the malware screens the sufferer’s energetic browser deal with bar utilizing Home windows UI Automation throughout Chrome, Firefox, Edge, Courageous, Opera, and Vivaldi. It checks the URL in opposition to an encrypted checklist of 59 Brazilian banking, fintech, and cryptocurrency domains.
When a match is detected, a WebSocket C2 session opens to wss://mxtestacionamentos[.]com/ws, and the operator positive factors full distant management of the contaminated machine.
A WPF-based full-screen overlay framework is the malware’s most alarming functionality. When activated, it covers each monitor with a borderless, topmost window that stops the window from being closed till the operator turns it off.
The overlay is invisible to screen-capture instruments due to WDA_EXCLUDEFROMCAPTURE, which means the sufferer can’t search assist by way of screenshots. Constructed-in UI modules embrace a credential-harvesting immediate with Brazilian cellphone quantity masking, a faux Home windows Replace progress display screen, and a vishing wait display screen that retains victims occupied.
On the similar time, fraudsters name them immediately, and a “cutout overlay” that exposes an actual software window throughout the fraudulent interface to make social engineering extra convincing.
The second payload, Tcl.WppBot is a dual-channel spam worm. The WhatsApp bot scans put in Chromium-based browsers for energetic WhatsApp Internet periods by in search of the applying’s LevelDB or IndexedDB listing in every browser’s profile.
It clones the profile into a short lived listing, launches a headless Chromium occasion by way of Selenium WebDriver, injects WPPConnect JavaScript to bypass bot detection, harvests the sufferer’s contacts, and silently sends phishing messages, together with the TCLBANKER installer, to all Brazilian contacts with out the sufferer’s data.
The Outlook bot connects to the sufferer’s put in Microsoft Outlook by way of COM interop, harvests e mail contacts from the Contacts folder and the inbox message historical past. Then it sends phishing emails from the sufferer’s personal e mail account.
Emails are despatched with the topic line “NFe disponível para impressão” (Digital Bill Obtainable for Printing), linking to a phishing area impersonating a Brazilian ERP platform. As a result of these emails originate from trusted, reputable accounts, they’re extremely more likely to bypass conventional e mail safety filters.
All C2 and payload supply infrastructure is hosted beneath a single Cloudflare Staff account (ef971a42.employees[.]dev), permitting the operators to rotate infrastructure quickly.
Developer artifacts, together with debug logging paths (C:temptcl-debug.txt), check course of names, and an incomplete phishing website nonetheless displaying a upkeep web page, counsel that REF3076 is in early operational phases and that the marketing campaign scope is more likely to develop.
Researchers hyperlink TCLBANKER to the beforehand tracked MAVERICK/SORVEPOTEL malware household based mostly on shared infrastructure and code patterns.
IoC
| Observable | Sort | Title | Reference |
|---|---|---|---|
| 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626 | SHA-256 | screen_retriever_plugin.dll | TCLBanker loader element |
| 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059 | SHA-256 | screen_retriever_plugin.dll | TCLBanker loader element |
| 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40 | SHA-256 | screen_retriever_plugin.dll | TCLBanker loader element |
| 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394 | SHA-256 | XXL_21042026-181516.zip | TCLBanker preliminary ZIP file |
| campanha1-api.ef971a42[.]employees.dev | domain-name | TCLBanker C2 | |
| mxtestacionamentos[.]com | domain-name | TCLBanker C2 | |
| paperwork.ef971a42.employees[.]dev | domain-name | TCLBanker file server | |
| arquivos-omie[.]com | domain-name | TCLBanker phishing web page (beneath improvement) | |
| documentos-online[.]com | domain-name | TCLBanker phishing web page (beneath improvement) | |
| afonsoferragista[.]com | domain-name | TCLBanker phishing web page (beneath improvement) | |
| doccompartilhe[.]com | domain-name | TCLBanker phishing web page (beneath improvement) | |
| recebamais[.]com | domain-name | TCLBanker phishing web page (beneath improvement) |
Observe: IP addresses and domains are deliberately defanged (e.g., [.]) to forestall unintentional decision or hyperlinking. Re-fang solely inside managed risk intelligence platforms similar to MISP, VirusTotal, or your SIEM.
Comply with us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most popular Supply in Google.
