TCLBanker Trojan Spreads via WhatsApp and Outlook, Abuses Signed Logitech Installer

A Brazilian banking trojan called TCLBanker has emerged with a nasty combination of capabilities: it arrives via a trojanized Logitech installer, spreads itself through victims' WhatsApp and Outlook accounts, and deploys full-screen overlays for real-time fraud operations. Elastic Security Labs disclosed the threat, which targets 59 banking, fintech, and cryptocurrency platforms.

TCLBanker represents an evolution of the MAVERICK/SORVEPOTEL malware family, with significant new self-propagation capabilities that turn every victim into an unwitting distributor.

Infection Vector: Logitech AI Prompt Builder

The trojan arrives as a trojanized version of the Logitech Logi AI Prompt Builder, bundled inside a ZIP archive. Attackers abuse DLL sideloading against the legitimate signed Logitech executable, dropping a malicious DLL named screen_retriever_plugin.dll that masquerades as a legitimate Flutter plugin.

When the host application starts, it automatically loads the malicious DLL—no user interaction required beyond running the installer. The signed Logitech binary provides cover, as security tools often whitelist vendor-signed executables.

This technique mirrors supply chain attacks we've covered, though TCLBanker distributes through phishing rather than compromising official download channels.

Self-Propagation: Hijacking WhatsApp and Outlook

What sets TCLBanker apart is its worm-like spreading mechanism:

WhatsApp Worm Component:

• Hijacks authenticated WhatsApp Web browser sessions by cloning user profiles
• Injects JavaScript to bypass bot detection mechanisms
• Harvests contacts and distributes malware links via WPPConnect library integration
• Sends phishing messages from the victim's actual WhatsApp account

Outlook Email Bot:

• Harvests contacts from Outlook folders and message history
• Sends phishing emails from victims' own accounts via COM automation
• Legitimate sender addresses improve deliverability and bypass spam filters

This approach is devastatingly effective. Recipients see messages from contacts they know, sent from real email addresses—exactly the kind of trust signal that makes people click.

Banking Fraud Capabilities

Once installed, TCLBanker monitors browser activity via UI Automation, watching for navigation to any of 59 targeted Brazilian banking domains. When a victim visits a monitored site, the trojan activates WebSocket C2 sessions for operator-driven fraud.

The malware's overlay subsystem is particularly sophisticated:

• Credential harvesting with format masking (phone numbers, CPF)
• Fake Windows Update screens to stall victims while operators work
• Vishing wait screens displayed during social engineering calls
• Anti-capture technology that hides overlays from screenshots

The WPF-based overlay framework supports real-time operator control, meaning a human attacker can adapt the fraud flow based on victim responses. This isn't automated credential theft—it's assisted fraud where the malware provides the stage and a human provides the script.

Technical Evasion

TCLBanker employs multiple anti-analysis techniques:

• Environment-gated decryption - Payloads only decrypt on targeted systems
• Syscall trampolines - Direct system calls bypass user-mode hooks
• ETW patching - Disables Event Tracing for Windows to evade EDR
• Watchdog mechanisms - Anti-analysis processes monitor for debugging

Elastic researchers noted exposed debug artifacts suggesting the malware is still under active development—concerning, since current capabilities are already substantial.

Indicators of Compromise

C2 Infrastructure:

• campagna1-api.ef971a42.workers.dev
• mxtestacionamentos[.]com

File Server:

• documents.ef971a42.workers.dev

Phishing Domains:

• arquivos-omie[.]com
• documentos-online[.]com
• recebamais[.]com

File Hash:

• 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626

Defensive Recommendations

1. Block sideloading - Application control policies can prevent unauthorized DLLs from loading alongside signed executables
2. Monitor for UI Automation abuse - TCLBanker's browser monitoring leaves detectable traces
3. Restrict COM automation - Outlook COM access from non-Outlook processes should trigger alerts
4. Educate on message-based threats - Users should verify unexpected links even from known contacts
5. Geographic blocking - If you don't do business in Brazil, consider blocking Brazilian banking domains at the proxy level to reduce overlay trigger opportunities

Why This Matters

Brazilian banking trojans have historically stayed regional, but TCLBanker's self-propagation mechanisms could easily be adapted for other markets. The combination of signed-binary abuse, automated spreading through trusted communication channels, and operator-driven fraud represents a mature threat model that other malware families will likely copy.

For organizations with Brazilian operations or employees, TCLBanker demands immediate attention. For everyone else, watch for variants targeting your region's financial institutions.