Elastic Security Labs has discovered a new banking trojan named TCLBanker that targets 59 banking, fintech, and cryptocurrency platforms. The malware is distributed through a trojanized MSI installer for the legitimate Logitech AI Prompt Builder application, using DLL side-loading to execute within the trusted Logitech context and evade security products. TCLBanker is believed to be a major evolution of the older Maverick/Sorvepotel malware family, with strong anti-analysis features including environment-dependent payload decryption and a watchdog thread that hunts for debugging tools. The trojan's banking module monitors browser address bars using Windows UI Automation APIs, initiating WebSocket sessions with its command-and-control server when victims visit targeted platforms. Operators can perform live screen streaming, screenshot capture, keylogging, clipboard hijacking, shell command execution, file system access, and remote mouse/keyboard control. The malware also uses WPF-based overlay systems to display fake credential prompts, PIN keypads, phone-number collection forms, fake bank support screens, and fake Windows Update screens to steal sensitive information. A particularly concerning feature is TCLBanker's self-spreading capability through WhatsApp and Outlook worm modules. It can hijack authenticated WhatsApp Web sessions from Chromium browser profiles, harvesting contacts and sending spam messages with Brazilian numbers. It also abuses Microsoft Outlook COM automation to send phishing emails from the victim's account. While currently focused on Brazil, researchers warn that LATAM malware like TCLBanker could expand its targeting scope globally, posing a real threat to cryptocurrency wallet and key holders who use any of the 59 targeted platforms.

关键事实

• Distributed via trojanized Logitech AI Prompt Builder MSI installer using DLL side-loading.
• Monitors browser address bars for 59 targeted platforms; initiates WebSocket with C2 when triggered.
• Capabilities include live screen streaming, keylogging, clipboard hijacking, remote control, and fake overlays.
• Self-spreading worm modules hijack WhatsApp Web sessions and Outlook to send phishing messages.
• Currently focused on Brazil but could expand globally; uses anti-analysis techniques to evade detection.

KeyAudit 数据视角