Elastic Security researchers tracking campaign REF3076 have published analysis of TCLBanker — a banking trojan they assess as an evolution of the Maverick banking trojan family (also known as Sorvepotel), a malware lineage associated with financially motivated Brazilian threat actors. TCLBanker introduces worm propagation modules that spread the malware to new victims via WhatsApp message injection and Outlook email campaigns, extending the reach of a campaign beyond the initial infection vector.
Initial Delivery and Persistence
TCLBanker’s initial delivery leverages DLL side-loading via a legitimate Logitech application — specifically, the Logitech AI Prompt Builder utility (LogiOptionsPlus.exe), which loads DLL libraries from the application’s working directory. TCLBanker places a malicious DLL in the expected path, causing the legitimate Logitech process to load and execute the malware payload as part of its normal startup.
The abuse of legitimate, signed Logitech software for DLL side-loading provides two advantages: the malicious code executes under a trusted process name (reducing suspicion in process monitoring), and the code signing check for the Logitech executable passes (since the legitimate executable is signed, only the loaded DLL is malicious).
Persistence is established via a Windows Task Scheduler entry that invokes the side-loading chain at user login. An anti-analysis watchdog process monitors the malware’s core components and relaunches them if they are terminated — complicating manual removal attempts.
Worm Propagation Modules
WhatsApp worm module: TCLBanker monitors the victim’s active WhatsApp Web session using browser debug protocol hooks. When a WhatsApp conversation is open, the malware can inject outbound messages to the conversation’s contacts — sending a lure message with a download link pointing to the malware’s next-stage payload. The message appears to originate from the infected victim’s WhatsApp account, exploiting the trust relationships in the victim’s contact list.
Outlook email module: A separate worm module accesses the victim’s Outlook profile via the Outlook COM API (without requiring credential theft — it uses the already-authenticated Outlook session). The module sends lure emails to a subset of the victim’s contacts referencing fake financial documents, payment confirmations, or banking security alerts. Again, the emails appear to originate legitimately from the victim’s account.
This combination of worm vectors allows TCLBanker to propagate through social networks and corporate email chains with a high apparent legitimacy, since the lure arrives from a known and trusted contact.
Financial Platform Targeting
TCLBanker’s web injection and overlay system targets 59 financial platforms, including:
- Major Brazilian and Latin American bank online banking portals
- International cryptocurrency exchanges
- PayPal, Stripe, and regional digital payment platforms
- Cryptocurrency browser wallets (MetaMask, Coinbase Wallet extensions)
When the victim navigates to a targeted site, TCLBanker intercepts the page using browser hook techniques, overlaying the legitimate banking interface with a fake authentication form that captures credentials and OTP codes in real time — transmitting them to the attacker while presenting a “system maintenance” error to the victim.
Detection and Remediation
Indicators of compromise are available in Elastic Security’s full research publication. Key artefacts include the malicious DLL name patterns, task scheduler entry characteristics, and network IOCs for C2 infrastructure.
Detection: Elastic’s analysis identifies that the watchdog process creates a characteristic mutex and the side-loading chain leaves artefacts in the Windows Event Log. EDR products with behavioural rules for DLL side-loading and for COM-based Outlook automation by non-Outlook processes will surface relevant alerts.
Remediation: Manual removal requires terminating the watchdog process before the primary payload, then removing the scheduled task, malicious DLL, and any files dropped to the %APPDATA% path. Full system reimaging is recommended for confirmed infections given the anti-analysis behaviour.
For organisations in the financial services, cryptocurrency, or payment processing space: the worm propagation via Outlook means that a single infected employee device could generate thousands of targeted phishing emails to internal and external contacts from a trusted sender address — triggering incident response obligations beyond the initial compromised device.
Share this article