Threat hunters have identified a previously undocumented Brazilian banking trojan called **TCLBANKER** that is capable of targeting 59 banking, fintech, and cryptocurrency platforms. This activity is being tracked by **Elastic Security Labs** under the moniker **REF3076**. The malware family is considered a major update of the Maverick trojan, which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web. The Maverick campaign is attributed to a threat cluster that **Trend Micro** calls Water Saci.  ### Attack Chain At the core of the attack chain is a loader with robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component that uses **WhatsApp** and **Microsoft Outlook** for propagation. "The observed infection chain bundles a malicious MSI installer inside a ZIP file," researchers at **Elastic** said. "These MSI installer packages are abusing a signed **Logitech** program called Logi AI Prompt Builder." The malware leverages DLL side-loading against the application to launch a malicious DLL ("screen_retriever_plugin.dll"), which functions as a loader with a "comprehensive watchdog subsystem." This subsystem actively monitors for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to evade detection. The malicious DLL only executes if loaded by "logiaipromptbuilder.exe" (the **Logitech** program) or "tclloader.exe" (likely a reference to an executable used during testing). It also removes usermode hooks placed by endpoint security software within "ntdll.dll" and disables Event Tracing for Windows (ETW) telemetry. ### Evasion Techniques The malware generates three fingerprints based on anti-debugging, anti-virtualization, system disk information, and language checks. It uses these to create an environment hash value that decrypts the embedded payload. The system language check ensures the user's default language is Brazilian Portuguese. **Elastic** explained, "For example, if a debugger is present, it will produce an incorrect hash, so when the malware attempts to derive the decryption keys from the hash, the payload will not decrypt correctly, and **TCLBANKER** will stop executing." ### Trojan Functionality The main component launched after these checks is the banking trojan. It verifies it's running on a Brazilian system and establishes persistence using a scheduled task. Subsequently, it sends an HTTP POST request to an external server containing basic system information. **TCLBANKER** incorporates a self-update mechanism and a URL monitor that extracts the current URL from the foreground browser's address bar using UI Automation. It targets popular browsers like **Google Chrome**, **Mozilla Firefox**, **Microsoft Edge**, **Brave**, **Opera**, and **Vivaldi**. The extracted URL is matched against a list of targeted financial institutions. If there's a match, it establishes a WebSocket connection to a remote server and enters a command dispatch loop, enabling the operator to perform various tasks: * Run shell commands * Capture screenshots * Start/stop screen streaming * Manipulate clipboard * Launch a keylogger * Remotely control mouse/keyboard * Manage files and processes * Enumerate running processes * List visible windows * Serve fake credential-stealing overlays For data theft, **TCLBANKER** uses a Windows Presentation Foundation (WPF)-based full-screen overlay framework to conduct social engineering using credential harvesting prompts, vishing wait screens, bogus progress bars, and fake Windows Updates, all while hiding overlays from screen capture tools. ### Worm Propagation In tandem, the loader invokes the worming module to propagate the trojan via spam and phishing messages at scale. It employs a two-pronged approach that involves a **WhatsApp** Web worm and an **Outlook** email bot. Like **SORVEPOTEL**, the **WhatsApp** worm retrieves a messaging template from the server and leverages the open-source project WPPConnect to automate message sending, filtering out groups, broadcasts, and non-Brazilian numbers. The **Outlook** agent is an email spambot that abuses the victim's installed **Microsoft Outlook** application to send phishing emails from the victim's email address, bypassing spam filters and giving the messages an illusion of trust. ### Conclusion "**TCLBANKER** reflects a broader maturation happening across the Brazilian banking trojan ecosystem," **Elastic** concluded. "Techniques that were once the hallmark of more sophisticated threat actors: environment-gated payload decryption, direct syscall generation, real-time social engineering orchestration over WebSocket, are now being packaged into commodity crimeware." "The campaign inherits the trust and deliverability of legitimate communications by hijacking victims' **WhatsApp** sessions and **Outlook** accounts. This is a distribution model that traditional email gateways and reputation-based defenses are ill-equipped to catch."