Professional Sabotage: TCLBANKER Abuses Outlook COM Automation to Send Phishing Emails to Coworkers

A newly identified Brazilian banking trojan, named TCLBANKER, has been discovered by threat hunters, capable of targeting 59 banking, fintech, and cryptocurrency platforms. This malware is being tracked by Elastic Security Labs under the identifier REF3076 and is considered a significant update of the Maverick family, known for using a worm called SORVEPOTEL to spread via WhatsApp Web. The Maverick campaign is associated with a threat cluster named Water Saci by Trend Micro. At the heart of the attack is a loader with strong anti-analysis features, deploying two embedded modules: a comprehensive banking trojan and a worm component that propagates through WhatsApp and Microsoft Outlook. The infection chain involves a malicious MSI installer within a ZIP file, exploiting a signed Logitech program, Logi AI Prompt Builder, to execute the malware. The malware employs DLL side-loading to launch a malicious DLL, "screen_retriever_plugin.dll," which acts as a loader with a watchdog subsystem. This subsystem monitors for analysis tools and antivirus software to avoid detection. The DLL executes only if loaded by specific executables, and it removes usermode hooks and disables Event Tracing for Windows telemetry to further evade security measures. TCLBANKER generates three fingerprints based on anti-debugging, anti-virtualization checks, and system language checks to create an environment hash value. This hash is crucial for decrypting the embedded payload, ensuring the malware runs only on systems with Brazilian Portuguese as the default language. If a debugger is detected, the hash is incorrect, preventing the payload from decrypting and halting execution. Once the checks are passed, the banking trojan component establishes persistence through a scheduled task and communicates with an external server via an HTTP POST request. It includes a self-update mechanism and a URL monitor to extract URLs from browsers, targeting popular ones like Google Chrome and Mozilla Firefox. If a URL matches a targeted financial institution, it establishes a WebSocket connection for further malicious activities. The trojan can perform various tasks, such as running shell commands, capturing screenshots, and manipulating the clipboard. It also uses a Windows Presentation Foundation-based overlay framework for social engineering, presenting fake credential-stealing overlays and other deceptive prompts to users. This framework helps in data theft while avoiding detection by screen capture tools. Simultaneously, the loader activates a worm module to spread the trojan through spam and phishing messages. It uses a WhatsApp Web worm to hijack browser sessions and an Outlook email bot to send phishing emails, exploiting the victim's contacts. This method bypasses traditional spam filters, leveraging the trust associated with legitimate communication channels. Currently, REF3076 seems to be in its early stages, with signs of ongoing development such as debug logs and incomplete phishing sites. This suggests that the campaign is still evolving. Elastic notes that TCLBANKER reflects a broader trend in the Brazilian banking trojan ecosystem, where sophisticated techniques are being integrated into commodity crimeware, posing challenges to traditional security defenses.