Back

TCLBANKER Trojan Targets Brazilian Financial Sector via Logitech Installer

Severity: High (Score: 70.2)

Sources: www.elastic.co, Bleepingcomputer, Gbhackers, Cybersecuritynews

Summary

A new banking trojan named TCLBANKER has emerged, targeting 59 Brazilian banking, fintech, and cryptocurrency platforms. Discovered by Elastic Security Labs, the malware utilizes a trojanized MSI installer of Logitech's AI Prompt Builder to infect systems stealthily. It features self-propagating worm modules that spread through WhatsApp and Outlook, hijacking authenticated sessions to message contacts and send phishing emails. The malware is designed to evade detection with robust anti-analysis techniques, including environment-dependent payloads and a persistent watchdog to eliminate debugging tools. Currently, the threat is primarily focused on Brazilian users, but there is potential for it to expand its targeting scope. The campaign is tracked as REF3076, and the malware's capabilities include monitoring browser activity and deploying fraudulent overlays to steal sensitive information. Key Points: • TCLBANKER targets 59 Brazilian financial platforms using a trojanized Logitech installer. • The malware includes self-propagating worm modules for WhatsApp and Outlook. • It employs advanced anti-analysis techniques to evade detection and protect its operations.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Trojan (attack_type)
  • Worm (attack_type)
  • Ref3076 (campaign)
  • Brazil (country)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • Financial (industry)
  • Maverick (malware)
  • Sorvepotel (malware)
  • TCLBanker (malware)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1562.001 - Disable Or Modify Tools (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • T1574 - Hijack Execution Flow (mitre_attack)
  • Chromium (platform)
  • Windows (platform)
  • Logitech (company)
  • 91fafaa1240676afe5c55d931261e3798797c408 (sha1)
  • De4dot (tool)
  • DnSpy (tool)
  • Frida (tool)
  • Ghidra (tool)
  • Ida (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed