A newly identified banking trojan named TCLBANKER has drawn attention from cybersecurity researchers due to its ability to target dozens of financial platforms while using trusted communication channels for distribution. Threat analysts have linked the activity to a campaign tracked as REF3076, highlighting its connection to earlier malware families such as Maverick. The campaign demonstrates a shift in cybercriminal strategies by combining advanced evasion techniques with large scale propagation through commonly used platforms like WhatsApp and Microsoft Outlook.
Security researchers report that the infection process begins with a ZIP archive containing a malicious MSI installer. This installer abuses a legitimate signed application associated with Logitech, allowing the malware to blend into normal system activity. Through DLL side loading, the trojan launches a malicious component that acts as a loader equipped with strong anti analysis mechanisms. It monitors for debugging tools, antivirus software, and sandbox environments, ensuring the malware remains undetected. The loader also disables system level telemetry and removes security hooks, making detection more difficult. It generates multiple system fingerprints based on hardware details, language settings, and anti debugging checks to create an environment specific hash. This hash is required to decrypt the payload, meaning the malware will not execute if it detects an analysis environment. The checks specifically ensure the system language is Brazilian Portuguese, indicating a focused targeting approach.
Once deployed, the main banking trojan establishes persistence on the infected system and begins communication with a remote server by transmitting system information. It includes features that allow continuous updates and real time monitoring of user activity. By extracting URLs from active browser sessions, it compares them against a predefined list of targeted banking and financial platforms. When a match is found, the trojan initiates a connection with its command server, allowing operators to execute various actions remotely. These include capturing screenshots, logging keystrokes, manipulating clipboard data, and controlling the victim’s system. It can also display fake overlays designed to trick users into entering sensitive credentials, using full screen interfaces that mimic legitimate processes such as system updates or verification prompts while remaining hidden from screen capture tools.
Alongside its core banking functions, TCLBANKER integrates a worm module that significantly amplifies its spread. It hijacks authenticated WhatsApp Web sessions to send malicious messages to contacts using automated scripts, while filtering out non Brazilian numbers and group chats. At the same time, it leverages Microsoft Outlook to distribute phishing emails directly from the victim’s account. This method increases credibility and bypasses traditional email filtering systems, as messages originate from trusted sources within a contact network. Researchers estimate the malware can reach thousands of contacts from a single compromised account, demonstrating a highly effective distribution mechanism that relies on user trust rather than traditional exploit techniques.
Current analysis suggests that the campaign is still evolving, with traces of testing artifacts and incomplete components observed in the code. Despite this, the level of sophistication indicates a broader trend within the Brazilian cybercrime ecosystem, where techniques once limited to advanced threat actors are becoming more widely adopted. The combination of environment aware payload execution, real time control capabilities, and abuse of legitimate communication channels underscores a growing challenge for traditional security defenses, particularly those relying on reputation based detection methods.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
