Security researchers have identified TCLBANKER, a sophisticated new Brazilian banking trojan that exploits legitimate software to target 59 financial platforms and propagate through hijacked WhatsApp and Outlook accounts.

Key Points

• Elastic Security Labs is tracking the malware, identified as REF3076, which is an evolution of the Maverick trojan family linked to the Water Saci threat cluster.
• The trojan uses DLL side-loading to abuse a signed Logitech program, "Logi AI Prompt Builder," to bypass security detection and execute malicious payloads.
• TCLBANKER employs advanced anti-analysis techniques, including environment-gated decryption and the removal of endpoint security hooks, to ensure it only runs on targeted Brazilian systems.
• The malware features a worming module that hijacks active WhatsApp Web sessions and Microsoft Outlook accounts to distribute malicious installers to thousands of contacts.
• Once active, the trojan uses a WebSocket connection to enable remote control, keylogging, and the deployment of fake credential-stealing overlays on major web browsers.

Why it Matters

This campaign demonstrates a significant maturation in commodity crimeware by leveraging trusted communication channels to bypass traditional email and network security defenses. By hijacking legitimate user accounts to distribute malware, attackers effectively weaponize personal trust, making it increasingly difficult for standard reputation-based security tools to detect and block malicious activity.