TCLBanker — LATAM Banking Trojan Evolves with Self‑Spreading Worms

May 8, 2026 Faeem BLOGS 0

Overview Researchers at Elastic Security Labs have uncovered a new banking trojan named TCLBanker, targeting 59 banking, fintech, and cryptocurrency platforms. Distributed via a trojanized MSI installer for Logitech AI Prompt Builder, TCLBanker represents a major evolution of the Maverick/Sorvepotel malware family, adding self‑spreading worm modules for WhatsApp and Outlook.

Infection Chain

  • Loader Technique: DLL side‑loading within the legitimate Logitech app, evading detection.
  • Anti‑Analysis Features:
    • Environment‑dependent payload decryption.
    • Watchdog thread hunting for tools like IDA, Ghidra, x64dbg, dnSpy, and ProcessHacker.
  • Targeting Scope: Currently focused on Brazil (locale, timezone, keyboard checks), but LATAM malware often expands globally.

Capabilities

Once active, TCLBanker monitors browser activity and launches attacks when victims access targeted platforms:

  • Data Theft: Keylogging, clipboard hijacking, screenshots, live screen streaming.
  • Remote Control: Shell execution, file system access, process enumeration, mouse/keyboard control.
  • Persistence: Kills Task Manager to conceal activity.
  • Overlay Attacks: Fake credential prompts, PIN keypads, “bank support” screens, and even fake Windows Update overlays to trick victims into entering sensitive data.

Worm Modules

  • WhatsApp Worm:
    • Hijacks WhatsApp Web IndexedDB data from Chromium profiles.
    • Launches hidden browser sessions to send spam messages via victim accounts.
    • Filters for Brazilian numbers, spreading malware links.
  • Outlook Worm:
    • Uses COM automation to harvest contacts and sender addresses.
    • Sends phishing emails through the victim’s Outlook account.

Defensive Guidance

  • Vendor Awareness: Be cautious of trojanized installers masquerading as legitimate apps.
  • Endpoint Protection: Monitor DLL side‑loading and suspicious overlay activity.
  • User Training: Educate employees about phishing lures arriving via WhatsApp or Outlook.
  • Threat Hunting: Look for persistence mechanisms (disabled Task Manager, watchdog threads).
  • Regional Vigilance: LATAM malware often expands beyond initial geographies — prepare for broader targeting.

Final Thought

TCLBanker exemplifies the evolution of LATAM banking malware, combining credential theft with worm‑like propagation across everyday communication platforms. By embedding itself in trusted apps and leveraging social channels like WhatsApp and Outlook, it lowers the barrier for cybercriminals to launch large‑scale campaigns. For defenders, the takeaway is clear: malware is no longer confined to endpoints — it spreads through the apps and accounts users trust most.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.