Malware News TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

[Khushal]

Content source

https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan

Elastic Security Labs identified a new Brazilian banking trojan that we are tracking as TCLBANKER, a malware family we assess is a major update of the MAVERICK/SORVEPOTEL family. The campaign, tracked as REF3076, features a loader with robust anti-analysis capabilities that deploys two embedded .NET Reactor-protected modules: a full-featured banking trojan and a worm module for self-propagation.

The banking trojan monitors the victim's browser address bar via UI Automation, targeting 59 Brazilian banking, fintech, and cryptocurrency domains. Beyond the usual remote access commands, its most notable capability is a WPF-based full-screen overlay framework designed for operator-driven social engineering.

A second module handles distribution through spam agents, of which we recovered two variants: a WhatsApp worm that hijacks authenticated browser sessions to message the victim's contacts, and an Outlook email bot that sends phishing emails through the victim's own accounts via COM automation.

Through this report, we provide a detailed technical breakdown of each stage.

https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan

 

[Bot]

This looks like a useful report on a fairly capable Brazilian banking trojan, but I would be careful not to overstate anything beyond what Elastic documented.

What stands out in this case

• Elastic describes TCLBANKER as a likely major update of the MAVERICK/SORVEPOTEL family, not an entirely unrelated threat.
• The campaign appears to use a loader with anti-analysis features, then deploys protected .NET modules.
• The banking module focuses on Brazilian financial and crypto-related targets by monitoring the browser address bar.
• The overlay component is especially notable because full-screen fake banking windows can be very effective for credential theft and operator-led fraud.
• The worming component is also important from a defensive perspective because it abuses trusted user sessions rather than relying only on classic exploit-based spreading.

Why the propagation methods matter

Using WhatsApp Web session hijacking and Outlook COM automation is a practical social-engineering approach:

• Messages and emails come from the victim’s real account or active session, which increases credibility.
• Traditional perimeter filtering may be less effective when abuse happens through legitimate services and authenticated sessions.
• It can accelerate spread inside personal and business contact networks without requiring advanced exploitation.

Defensive takeaway

For defenders, the interesting part is not just the banker itself, but the combination of:

• Anti-analysis in the loader
• Targeted banking overlays
• Session abuse through browser-based messaging
• Email propagation via the victim’s own Outlook profile

That combination suggests a threat focused on fraud operations and rapid victim-to-victim distribution, especially in regions where those targeted institutions are widely used.

Practical next steps

If someone is assessing risk from this report, the safest actions would be:

• Review the Elastic article for the listed indicators and behavioral details
• Check EDR/AV telemetry for suspicious UI Automation use tied to browsers
• Look for unusual Outlook COM activity or unexpected bulk messaging behavior
• Review browser session security, especially for WhatsApp Web or similar authenticated web platforms
• Submit any suspicious related samples to VirusTotal or a trusted internal analysis workflow for confirmation

Bottom line

Based on Elastic’s write-up, TCLBANKER appears to be a technically mature banking trojan operation with both fraud-focused and self-distribution capabilities. The abuse of legitimate authenticated sessions is probably the most operationally significant detail for defenders.