Cybersecurity researchers at Elastic Security Labs have identified a sophisticated new threat dubbed TCLBANKER (tracked as REF3076). Representing a major evolution of the Maverick and SORVEPOTEL malware families, this Brazilian banking trojan isn’t just designed to steal credentials—it’s designed to propagate like a worm.
By hijacking legitimate communication channels like WhatsApp Web and Microsoft Outlook, TCLBANKER spreads autonomously through a victim’s own trusted accounts, making the malicious messages nearly impossible for standard security filters to catch.
The Infection: Abusing Trusted Software
The attack begins with a “Trojanized” installer bundled in a ZIP file. The malware creators leverage a clever DLL side-loading technique against a real, digitally signed application: Logi AI Prompt Builder from Logitech.
- The Decoy: The victim runs what looks like a legitimate Logitech setup.
- The Side-Load: The trusted Logitech executable is tricked into loading a malicious file named
screen_retriever_plugin.dllmasquerading as a Flutter plugin. - The Stealth Check: Before activating, TCLBANKER performs an “environmental gate” check. It verifies the system language, time zone, and disk size to ensure it is on a real Brazilian user’s machine and not a security researcher’s sandbox.
Worm Module 1: WhatsApp Web Session Hijacking
Once the host is compromised, the malware focuses on expansion. The WhatsApp worm module is particularly aggressive:
- No QR Code Needed: Instead of asking for a new login, TCLBANKER clones existing authenticated browser sessions (from Chrome, Edge, or Vivaldi).
- Headless Hijack: It opens a hidden browser window, bypasses bot detection, and accesses the victim’s contact list.
- Mass Messaging: It sends the malicious ZIP file and a phishing lure to the victim’s contacts. Because the message comes from a “friend,” the conversion rate for new infections is incredibly high.
Worm Module 2: Outlook Automation
For corporate targets, TCLBANKER deploys its Outlook module. It uses Windows COM automation to take control of the email client in the background.
- Contact Harvesting: The malware sweeps the address book and inbox history for fresh targets.
- Trusted Phishing: It sends out new emails—styled as invoices or tax documents—directly from the infected user’s legitimate address. This allows the malware to bypass reputation-based email gateways (like SPF/DKIM/DMARC) because the source is truly authentic.
The Heist: WPF Overlays and Bank Monitoring
While the worm modules spread the infection, the banking component focuses on the theft. It monitors the browser’s address bar via UI Automation for 59 specific banking, fintech, and crypto domains.
When a victim visits a targeted site, TCLBANKER triggers Windows Presentation Foundation (WPF) full-screen overlays. These prompts:
- Freeze the Desktop: Block shortcuts like the Windows key or Escape.
- Bypass Security: Disable screen-capture tools so the fraud cannot be recorded.
- Social Engineering: Mimic official bank security screens or “Windows Update” progress bars to trick users into entering 2FA codes and PINs.
Defense and Indicators of Compromise (IoCs)
To defend against TCLBANKER, security teams should monitor for unauthorized Logitech process activity (especially those spawning from %LocalAppData%) and unusual browser profile cloning.
| Type | Indicator (Defanged) | Description |
| SHA-256 | 63beb7372098c03baab77e0dfc8e5dca5e... | Initial Malicious ZIP Archive |
| SHA-256 | 701d51b7be8b034c860bf97847bd59a8... | screen_retriever_plugin.dll (Loader) |
| Domain | campanha1-api.ef971a42[.]workers.dev | Cloudflare C2 Infrastructure |
| Domain | documents.ef971a42.workers[.]dev | Malware Delivery Server |
