Security researchers have identified a sophisticated new threat originating from Brazil: the TCLBANKER trojan. Tracked as campaign REF3076, this malware is a significant upgrade to the notorious Maverick and Sorvepotel families. It specifically targets 59 financial platforms, including major banks, fintech apps, and cryptocurrency exchanges.
What makes TCLBANKER particularly dangerous is its delivery method. Instead of relying on obviously suspicious files, it hitches a ride on a legitimate, digitally signed application from Logitech, tricking both users and security software into trusting the infection.
The Attack: Abusing the “Logi AI Prompt Builder”
The infection begins when a victim downloads a ZIP archive containing a malicious MSI installer. This installer deploys a legitimate, signed version of Logi AI Prompt Builder, an official Logitech tool built on the Flutter framework.
How the Sideloading Works:
- The Bait: The malware uses a technique called DLL Sideloading.
- The Switch: When the legitimate
LogiAiPromptBuilder.exeruns, it is forced to load a malicious file disguised as a standard plugin:screen_retriever_plugin.dll. - The Result: Because the primary program is officially signed by Logitech, the malicious DLL runs with “borrowed” trust, often bypassing Windows Defender and other endpoint protections.
Stealth and Anti-Analysis: The Digital Ghost
TCLBANKER is designed to be invisible to security researchers. Before it even begins its work, it performs a rigorous “pre-flight check” of the system environment:
- Environmental Gating: The malware generates a unique system hash based on your hardware. If it detects a virtual machine (VMware, VirtualBox, KVM) or common analysis tools, the payload simply refuses to decrypt.
- Targeting Brazil: To ensure it only hits its intended victims, the loader verifies the system has at least 64GB of disk space, two CPU cores, and is set to Brazilian Portuguese language and timezone.
- Telemetry Sabotage: Once active, the malware patches Event Tracing for Windows (ETW), effectively “blinding” the operating system’s ability to report its malicious behavior to security logs.
Execution: Fake Overlays and Live Fraud
Once the malware confirms it is on a genuine victim’s machine, it begins monitoring the browser address bar using Windows UI Automation.
If a user navigates to a targeted bank or crypto exchange, TCLBANKER activates:
- Invisible Overlays: It renders full-screen, WPF-based “fake” screens over the real website. These include fake login prompts, vishing “Please Wait” messages, and even fake Windows Update screens to stall the user.
- Anti-Screenshot Tech: These overlays use advanced “window display affinity” settings, meaning they appear on your monitor but are completely invisible to screen-sharing software or capture tools.
- C2 Command: A live operator can then take over the session to capture MFA codes or authorize fraudulent transactions in real-time.
Self-Propagation: The Viral Worm Modules
TCLBANKER doesn’t just sit on one machine; it tries to infect everyone you know through two “worm” modules:
- The WhatsApp Bot: It clones your local browser profile and IndexedDB storage to hijack your WhatsApp Web session without needing a new QR code. It then sends malicious download links to your entire contact list.
- The Outlook Bot: It uses Microsoft COM automation to seize control of your Outlook account, harvesting your address book and sending phishing emails from your real, trusted address.
