**TCLBanker** is a sophisticated trojan targeting a wide range of financial platforms. Discovered by **Elastic Security Labs**, researchers believe it represents a significant evolution of the older Maverick/Sorvepotel malware family. While currently focused on Brazil, with checks for timezone, keyboard layout, and locale, the potential for expansion to other regions remains a concern, as seen with other LATAM malware in the past. ## TCLBanker Capabilities **Elastic** warns that **TCLBanker** is heavily protected against analysis and debugging. It employs environment-dependent payload decryption routines designed to fail in sandboxes or analyst environments. A persistent watchdog thread actively searches for and terminates analysis tools such as x64dbg, IDA, dnSpy, Frida, ProcessHacker, Ghidra, and de4dot.  *Monitoring for targeted processes. Source: Elastic* The malware is loaded within the context of the legitimate **Logitech** application using DLL side-loading, helping it evade detection by security products. Researchers suggest that AI may have been used in the malware's development, based on code artifacts. The banking module monitors the browser address bar every second using **Windows** UI Automation APIs, watching for access to any of the 59 targeted platforms. Upon detection, it establishes a WebSocket session with the command-and-control (C2) server, sending victim and system information, and initiating remote control operations. These operations include: * Live screen streaming * Screenshot capturing * Keylogging * Clipboard hijacking * Shell command execution * Window management * File system access * Process enumeration * Remote mouse/keyboard control During active sessions, the **Task Manager** process is terminated to prevent disruption and conceal malicious activity. To facilitate data theft, **TCLBanker** uses a WPF-based overlay system to display fake credential prompts, PIN keypads, phone-number collection forms, fake "bank support" waiting screens, fake **Windows Update** screens, and various fake progress screens. It also utilizes “cutout” overlays that selectively mask portions of legitimate applications.  *Generating a fake Windows update overlay. Source: Elastic* ## WhatsApp and Outlook Worms A significant feature of **TCLBanker** is its ability to self-propagate through the victim's contacts. The malware searches Chromium browser profiles for authenticated **WhatsApp Web** IndexedDB data and launches a hidden Chromium instance to hijack the victim’s account.  *Hijacking WhatsApp accounts. Source: Elastic* It then harvests contacts, filters for Brazilian numbers, and sends them spam messages from the compromised account, leading them to **TCLBanker** distribution platforms. Another worm module abuses **Microsoft Outlook** through COM automation, launching the application, harvesting contacts and sender addresses, and sending phishing emails through the victim’s email account.  *Harvesting Outlook contacts. Source: Elastic* **Elastic** concludes that **TCLBanker** exemplifies the evolution of LATAM malware, providing lower-tier cybercriminals with features previously exclusive to highly sophisticated tools. <div> <p><a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0"><img src="https://www.bleepstatic.com/c/p/autonomous-validation2.jpg" data-src="https://www.bleepstatic.com/c/p/autonomous-validation2.jpg" alt="article image"></a></p> <div> <h2><a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">99% of What Mythos Found Is Still Unpatched.</a></h2> <p>AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.</p> <p>At the Autonomous Validation Summit (May 12 &amp; 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.</p> <p><a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">Claim Your Spot</a></p> </div> </div>