Elastic Security Labs has uncovered TCLBANKER, a sophisticated Brazilian banking trojan evolving from the MAVERICK and SORVEPOTEL families. Tracked under campaign REF3076, the malware utilizes an MSI installer that abuses DLL sideloading via a legitimate Logitech application to deploy two primary .NET modules: a feature-rich banking trojan and a specialized worm component for self-propagation. The infection chain is notably resilient, featuring environment-gated payload decryption that prevents execution within sandboxed or debugged environments.
The trojan monitors browser activity to target 59 Brazilian financial and cryptocurrency domains, employing a WPF-based overlay framework for real-time social engineering. These overlays—ranging from credential prompts to fake Windows Update screens—are protected by anti-capture techniques to remain invisible to screen-sharing tools. Additionally, propagation is facilitated by hijacking authenticated WhatsApp Web sessions through profile cloning and abusing Microsoft Outlook via COM automation to distribute phishing lures.
The entire operation leverages Cloudflare Workers for C2 communication and payload delivery, showcasing the continued maturation of Latin American cybercrime tactics. Developer artifacts suggest the campaign is in its early operational stages, signaling a shift toward highly automated, self-spreading malware that inherits the trust of legitimate communication platforms and cloud-native infrastructure.
Top comments (0)