TCLBANKER Malware Exploits WhatsApp and Outlook to Target Users
A sophisticated Brazilian banking trojan, known as TCLBANKER, has emerged as a significant threat by utilizing self-propagating modules through WhatsApp and Microsoft Outlook. This malware, part of the REF3076 campaign, is an evolution of the Maverick and SORVEPOTEL families. It employs a fake, signed Logitech installer to infiltrate systems, spreading automatically via popular communication platforms. The attack initiates when users download a malicious ZIP file containing an installer that misuses a legitimate Logitech program. By employing DLL side-loading, the malware tricks the application into executing a harmful file, which then takes control of the system. TCLBANKER is designed to evade detection by checking for security sandboxes and ensuring the victim is located in Brazil before fully activating. Once operational, it monitors web browsers for visits to targeted financial sites, using full-screen overlays to steal user credentials. 
