A New Threat Emerges
Cybercriminals have developed a new banking trojan named TCLBANKER, which is spreading through a deceptively legitimate-looking Logitech installer. The attackers have ingeniously manipulated a digitally signed installer to deliver malware onto users’ systems undetected. This method exploits the trust associated with well-known software brands, making it an effective strategy for distributing the malware.
Trojan Distribution Tactics
The operation, identified as REF3076, involves a malicious MSI installer concealed within a ZIP file. The infection process is triggered when the victim executes what appears to be a standard Logitech application installer. The attackers have incorporated the Logi AI Prompt Builder, employing a technique known as DLL sideloading to introduce a malicious DLL into the process. This harmful file is loaded automatically once the application is launched, without the user’s awareness.
According to Elastic Security Labs, TCLBANKER targets users in Brazil who access banking, fintech, or cryptocurrency websites. The trojan surveils the victim’s browser activity, particularly monitoring visits to 59 financial domains. Upon detecting a match, it establishes a live connection with the attacker’s command server, granting the operator full control.
Advanced Evasion Techniques
The sophistication of TCLBANKER extends beyond its initial infection vector. The malware is designed to mimic authentic banking interfaces through fake overlays, immobilize the victim’s desktop to create confusion, and disable the Task Manager to prevent the termination of the malicious process. These tactics are part of a coordinated effort to ensure the fraud appears seamless to the victim.
The trojan employs several measures to avoid detection. It verifies environmental conditions, such as ensuring the system is not running in a virtual machine or sandbox and confirming the primary language is Brazilian Portuguese. If these checks fail, the trojan ceases to operate, leaving minimal traces.
Self-Propagation and Prevention
One of the most concerning features of TCLBANKER is its ability to self-propagate. It includes two worm modules that enable it to spread via trusted channels. The first module exploits the victim’s active WhatsApp Web session, sending malware links to Brazilian contacts. The second module uses Microsoft Outlook to send phishing emails from the victim’s account, appearing legitimate and bypassing security filters.
Elastic researchers have observed that the attack infrastructure is hosted on Cloudflare Workers, facilitating quick rotation when necessary. To mitigate risks, individuals and organizations should maintain updated security software, be cautious of ZIP files or MSI installers from messaging apps or emails, and monitor for unusual system activities.
Conclusion
As TCLBANKER continues to evolve, its potential impact on financial security remains a significant concern. Awareness and proactive measures are essential to defend against this threat. Ensuring robust cybersecurity practices and staying informed can help protect against such sophisticated cyber threats.
