By • min read

10 Critical Facts About the TCLBANKER Banking Trojan Targeting Financial Platforms

Cybersecurity researchers have uncovered a sophisticated new threat from Brazil: the TCLBANKER banking trojan. This malware, tracked as REF3076 by Elastic Security Labs, is a major evolution of the earlier Maverick banking trojan and employs a worm called SORVEPOTEL to spread via WhatsApp and Outlook. Targeting over 59 financial, fintech, and cryptocurrency platforms, TCLBANKER represents a significant escalation in Latin American cybercrime. Below are 10 essential facts you need to know about this emerging menace.

1. TCLBANKER Is a Brazilian Banking Trojan with Global Ambitions

Originating from Brazil, TCLBANKER is designed to steal credentials and financial data from users of banking, fintech, and cryptocurrency platforms. While its initial focus is on Brazilian institutions, its ability to target 59 different platforms suggests potential expansion to other regions. The trojan is part of a broader Latin American crimeware ecosystem, often sold as malware-as-a-service.

2. It Is a Major Upgrade of the Maverick Banking Trojan

Maverick, a known Brazilian malware family, has been active for years. TCLBANKER is not a simple variant but a comprehensive rewrite that incorporates new evasion techniques, modular capabilities, and improved command-and-control communication. Elastic Security Labs assesses that the core code has been rebuilt to enhance its persistence and data-stealing functions.

3. The Trojan Spreads via the SORVEPOTEL Worm

TCLBANKER piggybacks on a worm component named SORVEPOTEL, which is responsible for initial propagation. This worm uses social engineering tactics to trick users into downloading the malware. Once inside a network, it can spread laterally to other devices, amplifying the attack surface.

4. WhatsApp and Outlook Are the Primary Infection Vectors

Attackers exploit messaging platforms like WhatsApp and email clients like Outlook to distribute malicious links or attachments. The SORVEPOTEL worm often sends convincing messages from compromised accounts, encouraging recipients to click on infected files or URLs. This technique capitalizes on trust and personal connections.

5. TCLBANKER Targets 59 Different Financial Platforms

The malware includes hardcoded configurations for 59 distinct targets, covering traditional banks, fintech apps, and cryptocurrency exchanges. This broad scope suggests a campaign aimed at capturing a wide range of financial transactions and account credentials, potentially affecting thousands of users.

6. It Employs Advanced Credential Theft Techniques

Once installed, TCLBANKER uses keylogging, screen capture, and HTML injection to harvest login credentials, two-factor authentication codes, and session cookies. It can also intercept SMS messages if granted permissions, bypassing some multi-factor authentication mechanisms.

7. The Malware Maintains Persistent Access

TCLBANKER establishes persistence through registry modifications, scheduled tasks, or as a browser extension. It often hides within legitimate processes or uses rootkit capabilities to evade detection by antivirus software. This ensures long-term access even after system reboots.

8. Command-and-Control (C2) Communication Is Encrypted

The trojan communicates with its C2 servers using encrypted channels, making it difficult for network defenders to detect malicious traffic. It uses domain generation algorithms (DGAs) to create dynamic endpoints, further complicating takedown efforts.

9. Defenders Should Focus on Behavior-Based Detection

Traditional signature-based antivirus may miss TCLBANKER due to its constant evolution. Elastic Security Labs recommends behavior monitoring, anomaly detection, and endpoint detection and response (EDR) solutions. Blocking known C2 domains and monitoring for unusual outbound connections can also help.

10. Vigilance Is Key to Preventing Infection

Users should be cautious with unexpected messages or emails, even from known contacts, if they contain links or attachments. Enabling multi-factor authentication, keeping software updated, and using security solutions with phishing protection can reduce risk. Organizations should train employees to recognize social engineering tactics.

Conclusion

TCLBANKER represents a dangerous evolution in banking trojans, combining the stealth of a worm with the data-stealing power of modern malware. With 59 financial targets in its crosshairs and propagation via trusted communication platforms, it poses a serious threat to both individuals and institutions. By understanding these 10 facts, security teams and users can better prepare to defend against this Brazilian-originated menace. Stay informed, stay cautious, and implement robust security practices to safeguard financial assets.