TCLBANKER: A New Brazilian Banking Trojan Spreading via WhatsApp and Outlook

Cybersecurity researchers have uncovered a sophisticated Brazilian banking trojan known as TCLBANKER, which poses a significant threat to users of banking, fintech, and cryptocurrency platforms. This malware, tracked as REF3076 by Elastic Security Labs, is an advanced version of the older Maverick Trojan, leveraging the SORVEPOTEL worm to propagate through messaging applications like WhatsApp and Outlook. Below, we dive into the details of this emerging threat with a series of frequently asked questions.

What is TCLBANKER and Which Platforms Does It Target?

TCLBANKER is a newly identified Brazilian banking trojan designed to infiltrate and steal data from financial accounts. It specifically targets a wide array of platforms—over 59 in total—including traditional banks, fintech services, and cryptocurrency exchanges. The malware focuses on Latin American financial institutions, but its reach extends globally due to the interconnected nature of digital finance. By capturing sensitive information like login credentials, session tokens, and two-factor authentication codes, TCLBANKER enables attackers to perform unauthorized transactions and drain funds. The trojan is part of a larger campaign tracked by Elastic Security Labs under the identifier REF3076, highlighting its organized and persistent nature. Users of these platforms should be aware that the malware can compromise both personal and business accounts, leading to severe financial losses.

TCLBANKER: A New Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Source: feeds.feedburner.com

How is TCLBANKER Related to the Maverick Trojan?

TCLBANKER is not a novel creation from scratch but rather a significant evolution of the earlier Maverick Trojan. Maverick was known for its use of the SORVEPOTEL worm to self-replicate and spread via email and messaging apps. TCLBANKER retains this propagation technique while enhancing its capabilities. The update introduces improved code obfuscation, more sophisticated payload delivery, and a broader list of targeted financial platforms—expanding from a handful to 59. This evolution suggests that the same threat actors behind Maverick have invested heavily in refining their tools. The connection between the two malware families is crucial for threat hunters, as it allows them to anticipate attack patterns and develop countermeasures. Understanding this lineage helps cybersecurity professionals trace the origins of TCLBANKER and predict future updates.

How Does TCLBANKER Spread via WhatsApp and Outlook Worms?

TCLBANKER relies on the SORVEPOTEL worm component to propagate across networks. This worm specifically exploits the trust inherent in popular communication platforms like WhatsApp and Microsoft Outlook. On WhatsApp, it may send infected attachments or links to all contacts, often disguised as legitimate messages from friends or colleagues. In Outlook, the worm can harvest email addresses from the victim's inbox and send phishing emails with malicious attachments. Once a recipient opens the attachment, the trojan gains a foothold on their system. The self-spreading nature of SORVEPOTEL makes TCLBANKER particularly dangerous, as one infected user can quickly lead to many. The worm also employs social engineering tactics, such as urgent messages about package deliveries or security alerts, to trick victims. This method of propagation exploits personal and professional networks, increasing the attack surface significantly.

What is the REF3076 Tracking Identifier and Who Discovered It?

REF3076 is the identifier assigned by Elastic Security Labs to the threat campaign involving TCLBANKER. Elastic Security Labs, the cybersecurity research division of Elastic, uncovered this malware through their threat hunting systems. The identifier helps analysts group related indicators of compromise, such as IP addresses, domain names, and file hashes, so that the entire campaign can be studied holistically. REF3076 is not a malware name itself but a tracking code for the operational activity. This campaign combines the TCLBANKER trojan with the SORVEPOTEL worm and other supporting infrastructure. By using a consistent reference number, security teams can share information more efficiently and update defenses against all components of the attack. Elastic Security Labs has released detailed reports to help organizations detect and mitigate this threat.

Why is TCLBANKER Considered a Major Update of Maverick?

Security researchers classify TCLBANKER as a major update to Maverick because it introduces several critical enhancements. First, it significantly expands its target list from roughly 20 to 59 financial platforms, including many cryptocurrency exchanges—a sign of adapting to the growing digital currency trend. Second, the malware's codebase has been restructured with advanced obfuscation techniques to evade antivirus detection and sandbox analysis. Third, its data exfiltration methods are more stealthy, using encrypted channels to send stolen credentials. Fourth, the integration with the SORVEPOTEL worm has been improved for faster self-replication. These changes demonstrate a deliberate effort by the attackers to create a more resilient and effective tool. Such upgrades indicate that the threat actors have invested resources and learned from previous failures, making TCLBANKER a formidable adversary in the banking trojan landscape.

What Are the Implications for Users of Targeted Platforms?

Users of the 59 banking, fintech, and cryptocurrency platforms targeted by TCLBANKER face serious risks. The trojan can capture login credentials, session cookies, and even one-time passwords from authenticator apps, allowing attackers to access accounts even with two-factor authentication enabled. Potential consequences include unauthorized fund transfers, identity theft, and long-term account compromise. Because the malware spreads via WhatsApp and Outlook worms, even users who are cautious may be infected by a trusted contact. Business users are especially vulnerable, as a single infected workstation can compromise corporate financial accounts. Furthermore, the malware is designed to persist on systems, surviving reboots and attempts to remove it. Users should watch for unusual messages from contacts asking them to open attachments, and enable multi-factor authentication wherever possible. Regular security updates and endpoint protection are also critical.

How Can Users Protect Themselves from TCLBANKER?

To defend against TCLBANKER, users should implement a multi-layered security approach. First, be wary of unexpected attachments or links received via WhatsApp or email, even from known contacts—verify with the sender through another channel. Second, install and update reputable antivirus software that includes behavioral detection for trojans and worms. Third, enable two-factor authentication using an authenticator app rather than SMS, as TCLBANKER can intercept SMS codes. Fourth, apply the latest operating system and application patches to close vulnerabilities that exploits might use. Fifth, consider using a password manager to generate unique, strong passwords for each financial platform. Organizations should enforce email security filters and network segmentation to limit worm spread. Finally, stay informed by following threat intelligence from sources like Elastic Security Labs. Regular security awareness training can also help users recognize social engineering tactics employed by the SORVEPOTEL worm.