Elastic Security Labs has identified TCLBANKER as REF3076, which represents a significant development in Latin American banking malware. In addition to credential theft, remote session control, and worm-like propagation, it has been linked to older Maverick and SORVEPOTEL malware families, but with more sophisticated stealth and self-distribution features.
By delivering the trojan via trojanized Logitech AI Prompt Builder MSI installer hidden within malicious ZIP archives, the trojan spreads through compromised WhatsApp and Microsoft Outlook accounts. As well as employing extensive anti-analysis protections to evade sandboxes, debugging tools, and security monitoring systems, TCLBANKER targets 59 Brazilian banking, fintech, and cryptocurrency platforms.
Research has shown that although the campaign is currently focused on Brazil through locale verification and keyboard layout verification checks, its modular architecture is capable of enabling broader international expansion in the future. Researchers have found that the malicious library “screen_retriever_plugin.dll” is executed through the legitimate Logitech application via DLL sideloading.
The malware only activates when loaded by approved executables such as “logiaipromptbuilder.exe,” allowing it to blend into trusted processes and avoid detection. Watchdog subsystems are included in its loader, which continuously searches for debuggers, sandboxes, antivirus engines, and forensic analysis tools. Also, it removes usermode hooks from “ntdll.dll” and disables Event Tracing for Windows (ETW) telemetry so that endpoint monitoring visibility can be compromised.
The TCLBANKER software generates an environment-specific hash value by performing multiple anti-debugging, anti-virtualization, disk, and language checks before decrypting its payload. In the event analysis conditions are detected, the payload is intentionally disabled from decrypting, preventing execution in sandboxes.
Following validation, the malware establishes persistence through scheduled tasks and communicates with external command-and-control infrastructure using HTTP POST requests containing information regarding the system.
An increasing trend among financially motivated threat actors is to combine enterprise-grade evasion techniques with consumer-centered banking fraud operations, as evidenced by the malware’s layered execution model. During their research, researchers found that TCLBANKER did not rely exclusively on credential theft, but rather operated as an interactive remote intrusion platform, maintaining prolonged access to compromised systems.
In addition to monitoring user behavior in real time, attackers can manipulate banking sessions directly and bypass traditional fraud detection mechanisms that detect automated transactions, allowing them to bypass traditional fraud detection mechanisms.
Since the malware executes most of its activity in memory, and limits visible artifacts on disk, it can be detected more easily by conventional anti-virus and endpoint monitoring programs.
Since the malware executes most of its activity in memory, and limits visible artifacts on disk, it can be detected more easily by conventional anti-virus and endpoint monitoring programs.
As a consequence of these characteristics, analysts caution that traditional banking trojans and lightweight advanced persistent threat tooling are becoming increasingly blurred, particularly as financial criminals target online banking ecosystems with targeted cybercrime campaigns.
With TCLBANKER, users can perform a number of remote fraud functions, including scree
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: