TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

What Happened

Security researchers have discovered a new banking malware called TCLBANKER that targets Brazilian users. It infects computers through malicious files disguised as legitimate software and steals banking information by displaying fake, full-screen login prompts over real banking websites. The malware is particularly dangerous because it can automatically spread itself by hijacking a victim's WhatsApp Web session or Microsoft Outlook email to send malicious links to their contacts. Users should be cautious of unexpected attachments or links, even if they appear to come from known contacts, and ensure their security software is up to date.

Key Takeaways

• TCLBANKER uses environment-gated payload decryption that silently fails in sandboxes or analysis environments.
• The malware targets 59 Brazilian banking and crypto domains, triggering a WebSocket C2 session upon navigation.
• A WPF-based full-screen overlay framework enables operator-driven social engineering, credential harvesting, and fake Windows update stalls.
• Worm modules propagate the malware by hijacking authenticated WhatsApp Web sessions and Microsoft Outlook COM automation.
• Infrastructure relies heavily on Cloudflare Workers for C2 communication and payload delivery.

Affected Systems

• Windows
• Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi)
• Microsoft Outlook
• WhatsApp Web

Attack Chain

The attack begins with a ZIP file containing a malicious MSI installer that abuses a legitimate Logitech application (LogiAiPromptBuilder.exe) to sideload a malicious DLL (screen_retriever_plugin.dll). This loader performs extensive anti-analysis and environment checks before decrypting and executing the TCLBANKER .NET payload. The banking trojan establishes persistence via a scheduled task, monitors browser URLs for targeted Brazilian financial sites, and initiates a WebSocket C2 session to deploy full-screen social engineering overlays. Concurrently, a worm module hijacks the victim's WhatsApp Web session or Outlook application to send phishing messages and propagate the malware to their contacts.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: Yes
• Other Detection Logic: No
• Platforms: Elastic Security

Elastic Security provides a YARA rule for detecting the TCLBanker trojan and several Elastic behavior rules targeting NTDLL unhooking, AMSI bypasses, and suspicious core module changes.

Detection Engineering Assessment

EDR Visibility: Medium — The malware uses direct syscalls, unhooks NTDLL, and patches ETW to blind user-mode telemetry, which may reduce visibility for some EDRs. However, process creation (msiexec, cmd), scheduled task creation, and COM interop behaviors are still highly visible. Network Visibility: Medium — C2 traffic uses WebSockets and HTTPS to Cloudflare Workers, blending in with legitimate traffic, but the specific endpoints and hardcoded Bearer tokens/GUIDs can be fingerprinted. Detection Difficulty: Hard — The heavy use of anti-analysis, environment-gating, ETW patching, and legitimate Cloudflare infrastructure makes dynamic analysis and network detection challenging.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Scheduled Task Creation (Event ID 4698)
• Network Connections (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for LogiAiPromptBuilder.exe loading an unsigned or unexpected screen_retriever_plugin.dll from a non-standard directory.	Image Load (Sysmon Event ID 7) / Process Creation	Execution	Low
Monitor for the creation of a scheduled task named RuntimeOptimizeService triggering on user logon.	Scheduled Task Creation (Event ID 4698)	Persistence	Low
Detect headless Chromium instances launched with --user-data-dir pointing to a temporary directory.	Process Creation (Event ID 4688 / Sysmon 1)	Credential Access	Medium
Identify msiexec.exe executing with the REINSTALLMODE=amus argument, especially when spawned by a hidden command shell.	Process Creation (Event ID 4688 / Sysmon 1)	Execution	Low
Look for PowerShell scripts dropped in %TEMP% interacting with the Outlook COM object.	File Creation (Sysmon 11) / PowerShell Script Block Logging (Event ID 4104)	Collection	Medium

Control Gaps

• User-mode EDR hooks (bypassed via NTDLL replacement)
• ETW telemetry (patched by malware)

Key Behavioral Indicators

• DLL sideloading of screen_retriever_plugin.dll
• Creation of %LocalAppData%\LogiAI directory
• Presence of C:\temp\tcl-debug.txt
• COM interop with Outlook.Application from unexpected processes

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known C2 domains and Cloudflare Worker endpoints associated with REF3076.
• Search endpoints for the presence of the RuntimeOptimizeService scheduled task and %LocalAppData%\LogiAI directory.

Infrastructure Hardening

• Implement application control to prevent the execution of unauthorized binaries and unsigned DLLs.
• Restrict the use of COM automation for Microsoft Outlook to authorized applications only.

User Protection

• Deploy EDR solutions capable of detecting direct syscalls and NTDLL unhooking.
• Enforce multi-factor authentication and session timeouts for web-based messaging applications like WhatsApp Web.

Security Awareness

• Educate users on the risks of opening unexpected attachments or links, even from known contacts.
• Train employees to recognize full-screen social engineering overlays and fake Windows update screens.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1218.007 - System Binary Proxy Execution: Msiexec
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1140 - Deobfuscate/Decode Files or Information
• T1027 - Obfuscated Files or Information
• T1622 - Debugger Evasion
• T1497.001 - Virtualization/Sandbox Evasion: System Checks
• T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1106 - Native API
• T1055 - Process Injection
• T1057 - Process Discovery
• T1010 - Application Window Discovery
• T1082 - System Information Discovery
• T1614.001 - System Location Discovery: System Language Discovery
• T1113 - Screen Capture
• T1056.001 - Input Capture: Keylogging
• T1115 - Clipboard Data
• T1056.003 - Input Capture: Web Portal Capture
• T1185 - Browser Session Hijacking
• T1071.001 - Application Layer Protocol: Web Protocols
• T1102 - Web Service
• T1105 - Ingress Tool Transfer
• T1114.001 - Email Collection: Local Email Collection
• T1529 - System Shutdown/Reboot

Additional IOCs

• Ips:
  • 191[.]96[.]224[.]96 - Previous C2 IP associated with REF3076 and Water Saci
• Domains:
  • documentos-online[.]com - TCLBanker phishing page (under development)
  • afonsoferragista[.]com - TCLBanker phishing page (under development)
  • doccompartilhe[.]com - TCLBanker phishing page (under development)
  • recebamais[.]com - TCLBanker phishing page (under development)
  • saogeraldoshiping[.]com - Domain previously associated with Water Saci campaign
• Urls:
  • hxxps://campanha1-api[.]ef971a42[.]workers[.]dev/api/installs - First-run POST beacon endpoint
  • hxxps://documents[.]ef971a42[.]workers[.]dev/api/version - Self-update version check endpoint
  • hxxps://documents[.]ef971a42[.]workers[.]dev/api/update - Self-update payload download endpoint
  • wss://mxtestacionamentos[.]com/ws - WebSocket C2 communication endpoint
  • hxxps://campanha1-api[.]ef971a42[.]workers[.]dev/api/campaign - Active campaign configuration endpoint for worm modules
  • hxxps://documents[.]ef971a42[.]workers[.]dev/file - File server endpoint for downloading TCLBANKER payload
  • hxxps://campanha1-api[.]ef971a42[.]workers[.]dev/api/progress - Worm module progress reporting endpoint
  • hxxps://campanha1-api[.]ef971a42[.]workers[.]dev/api/control - Worm module remote control polling endpoint
• File Hashes:
  • 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059 (sha256) - TCLBanker loader component (screen_retriever_plugin.dll)
  • 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40 (sha256) - TCLBanker loader component (screen_retriever_plugin.dll)
  • 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394 (sha256) - TCLBanker initial ZIP file (XXL_21042026-181516.zip)
• File Paths:
  • %LocalAppData%\LogiAI - Installation directory for TCLBANKER
  • C:\temp\tcl-debug.txt - Debug logging artifact created by newer variants
  • %TEMP%\update_{8hexchars}.msi - Self-update payload download path
  • %TEMP%\msvc-rt14\bin\hostfxr.exe - Disguised Selenium Manager binary used by WhatsApp bot
  • %TEMP%\oc<guid>.ps1 - PowerShell script dropped to harvest Outlook contacts
• Command Lines:
  • Purpose: Forced system reboot initiated by C2 command | Tools: shutdown.exe | Stage: Impact | shutdown.exe /r /t 0 /f
  • Purpose: Silent installation of the self-update MSI payload | Tools: msiexec.exe | Stage: Execution | msiexec /i /qn REINSTALLMODE=amus
  • Purpose: Shell command execution capability from C2 | Tools: cmd.exe | Stage: Execution | cmd.exe /c