- Cybersecurity researchers have uncovered a new Brazilian banking trojan named TCLBANKER, which targets 59 banking, fintech, and cryptocurrency platforms.
- The malware spreads via malicious MSI installers and employs sophisticated anti-analysis checks, including generating a unique environment hash to decrypt its payload.
- It features real-time social engineering and credential theft via overlays, and hijacks victims’ WhatsApp Web sessions and Microsoft Outlook accounts for further propagation.
Threat hunters have identified a previously undocumented Brazilian banking trojan, dubbed TCLBANKER, which is capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076.
At the infection chain’s core is a malicious MSI installer bundled inside a ZIP file, which abuses a signed Logitech program. This installer deploys a loader with a comprehensive watchdog subsystem to evade analysis tools, as explained by security researchers.
The loader performs rigorous anti-debugging and system checks to create an environment hash for payload decryption. Consequently, the trojan only executes if it confirms the system’s default language is Brazilian Portuguese.
Once active, the banking trojan establishes persistence and beacons to an external server. It also monitors URLs from major browsers and matches them against a hard-coded list of targeted financial institutions.
Upon a match, it establishes a WebSocket connection, enabling remote operators to run commands. These capabilities include capturing screenshots, starting a keylogger, and serving fake credential-stealing overlays.
For data theft, TCLBANKER uses a WPF-based overlay framework to display convincing social engineering prompts. Meanwhile, its worming module propagates the trojan via hijacked WhatsApp Web sessions and a Microsoft Outlook email spambot.
The WhatsApp worm uses templates from a server and leverages the UI Automation project to automate messages. Conversely, the Outlook agent sends phishing emails from the victim’s own account to bypass spam filters.
Elastic concluded that “TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem.” This distribution model hijacks the trust of legitimate communications, making it difficult for traditional defenses to catch.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
