TCLBANKER: New Brazilian Banking Trojan Spreads via WhatsApp and Email Worms

Overview of the TCLBANKER Threat

Cybersecurity researchers have uncovered a sophisticated banking trojan, designated as TCLBANKER, that specifically targets financial institutions, fintech platforms, and cryptocurrency services. This new malware family, tracked by Elastic Security Labs under the identifier REF3076, represents a significant evolution from its predecessor, the Maverick Trojan. TCLBANKER is designed to compromise user credentials and financial data across a wide range of platforms, with a particular focus on the Brazilian digital ecosystem.

Origins and Evolution

TCLBANKER is considered a major update of the previously known Maverick banking trojan. Maverick was notable for its use of a worm component called SORVEPOTEL, which allowed it to propagate through messaging applications and email services. The new variant inherits and enhances these propagation methods, making it more effective and dangerous than its earlier iteration.

The Maverick Trojan Lineage

The Maverick Trojan family has been active in Brazil for several years, primarily targeting online banking users. Its hallmark was the SORVEPOTEL worm, which automatically sent infected links to WhatsApp contacts and Outlook email recipients. TCLBANKER builds upon this foundation with improved evasion techniques, broader targeting, and more modular capabilities.

Propagation Mechanisms: WhatsApp and Outlook Worms

TCLBANKER spreads through two primary channels: WhatsApp messaging and Outlook email. The worm-like behavior automatically sends malicious links to the victim's contacts, amplifying the infection rate. This social engineering approach exploits trust within personal and professional networks.

WhatsApp Worm Component

Once a device is infected, TCLBANKER accesses the victim's WhatsApp account to send messages containing a link to the malware. The message typically uses urgent or financial-themed lures, such as fake payment notifications or security alerts. Recipients who click the link are then prompted to download a malicious APK or file.

Outlook Email Worm Component

Similarly, the trojan harvests Outlook email contacts and sends crafted phishing emails with infected attachments or links. These emails often impersonate trusted financial institutions or internal company communications, increasing the likelihood of user interaction.

Targeted Platforms and Capabilities

TCLBANKER is capable of targeting 59 distinct banking, fintech, and cryptocurrency platforms. This broad scope suggests the attackers aim to compromise users across multiple financial services rather than focusing on a single institution. The malware's capabilities include:

• Credential theft through overlay attacks (fake login screens)
• Session hijacking by intercepting one-time passwords (OTPs) and cookies
• Keylogging to capture typed data
• SMS interception for bypassing two-factor authentication
• Remote access to mobile devices (if Android variant)

Technical Analysis

Infection Chain

The initial infection typically begins when a user receives a fraudulent message via WhatsApp or email containing a link to a malicious download. The downloaded file may be disguised as a PDF, document, or APK. Upon execution, the trojan establishes persistence and communicates with a command-and-control (C2) server to receive updated configuration and targeting instructions.

Key Improvements Over Maverick

Elastic Security Labs notes that TCLBANKER introduces several technical advances:

1. Enhanced Obfuscation: The malware uses more sophisticated code packing and encryption to evade detection.
2. Modular Design: It can download additional plugins to adapt to different targets or bypass new security measures.
3. Improved Worm Propagation: The SORVEPOTEL component now works more reliably across different versions of WhatsApp and Outlook.
4. Target Customization: The malware can be configured to attack specific platforms based on the victim's location or banking habits.

Mitigation and Prevention

To defend against TCLBANKER and similar threats, users and organizations should adopt the following best practices:

• Verify Links: Always double-check URLs before clicking, especially in unexpected messages from known contacts.
• Enable Two-Factor Authentication (2FA): Use app-based or hardware tokens rather than SMS-based 2FA, as trojans can intercept SMS.
• Keep Software Updated: Ensure mobile devices, antivirus, and operating systems receive the latest security patches.
• Beware of Social Engineering: Train employees and family members to recognize phishing attempts in messaging apps and email.
• Use Reputable Security Tools: Deploy endpoint detection and response (EDR) solutions that can identify trojan behavior.

Implications for Brazilian Financial Sector

Brazil has been a hotspot for banking trojans due to the high adoption of online banking and cryptocurrency trading. TCLBANKER's focus on 59 platforms indicates a sophisticated threat actor with specific regional knowledge. Financial institutions should monitor for signs of this trojan and collaborate with security researchers to share indicators of compromise (IOCs).

Conclusion

TCLBANKER represents a dangerous evolution in the Brazilian banking trojan landscape. Its ability to spread via WhatsApp and Outlook worms, combined with its advanced features, makes it a formidable threat to both individual users and financial organizations. By understanding its propagation methods and technical capabilities, security teams can better prepare defenses and mitigate potential damage.