TCLBANKER Malware: Brazilian Trojan Spreads via WhatsApp and Outlook

Overview of the REF3076 Campaign

Security researchers at Elastic Security Labs have identified a sophisticated campaign, tracked as REF3076, involving a previously undocumented banking trojan named TCLBANKER. This malware represents a significant evolution in the Brazilian threat landscape, specifically targeting 59 different banking, fintech, and cryptocurrency platforms. According to The Hacker News, TCLBANKER is considered a major successor to the Maverick malware family, incorporating modernized modules for persistence and data exfiltration.

The threat actor behind this campaign utilizes Phishing as a primary delivery vector to gain initial access to target environments. Once the host is compromised, the malware deploys a secondary payload known as the SORVEPOTEL worm. This component is specifically designed to facilitate Lateral Movement and self-propagation through popular communication platforms, significantly increasing the infection surface within corporate networks.

Technical REF3076 Malware Analysis

The core functionality of TCLBANKER revolves around its ability to intercept financial transactions and steal sensitive credentials. Researchers note that the malware is deeply integrated with the Brazilian financial ecosystem, often focusing on the PIX instant payment system. However, its reach extends globally to various cryptocurrency exchanges and international fintech services, making it a borderless threat to financial liquidity.

A key differentiator for this APT cluster is its reliance on automated propagation. The SORVEPOTEL worm component integrates with Microsoft Outlook and the WhatsApp Desktop client. By leveraging the Messaging Application Programming Interface (MAPI) in Outlook, the worm can send malicious attachments or links to the victim’s contacts. This abuse of trusted communication channels bypasses traditional email security filters that may not scrutinize internal communications as heavily as external traffic. This makes understanding SORVEPOTEL worm propagation methods essential for modern network defense.

Furthermore, the malware maintains C2 communications via encrypted channels, allowing the attackers to update the trojan’s configuration or deploy additional modules. This flexibility allows REF3076 to adapt its TTP based on the security posture of the targeted environment, frequently changing its footprint to evade detection.

Impact on Financial Platforms

The scope of the TCLBANKER infection is broad, covering 59 unique applications. While traditional banking portals remain a focus, the inclusion of decentralized finance (DeFi) platforms and cryptocurrency wallets highlights the attackers’ shift toward high-velocity assets. The malware monitors browser activity and system processes to trigger overlay attacks, which present the user with a fraudulent login interface designed to capture multi-factor authentication codes in real-time.

How to Detect TCLBANKER Banking Trojan

Defenders must adopt a multi-layered approach to identify and neutralize REF3076. Detection begins with monitoring for unusual process behavior in communication applications. For instance, an EDR solution should flag instances where WhatsApp or Outlook initiates unexpected network connections or accesses sensitive system directories not required for standard operations.

Security teams should also look for specific IoC patterns, such as the creation of scheduled tasks with randomized names or the presence of suspicious DLLs in the user’s AppData folder. Correlating these events within a SIEM can provide the necessary visibility to stop the infection before the malware can initiate financial fraud.

Mapping observed behaviors to the MITRE ATT&CK framework—specifically focusing on T1566 (Phishing), T1080 (Taint Shared Content), and T1547 (Boot or Logon Autostart Execution)—is recommended for building a comprehensive defense strategy. Organizations should prioritize the detection of unauthorized API calls from desktop applications that attempt to interact with the system’s messaging stack.

Mitigation and Defense Strategies

To protect against TCLBANKER and its associated worm, organizations should prioritize the following actions:

• Communication Security: Implement strict policies regarding the use of personal messaging apps on corporate devices. If WhatsApp or Outlook is necessary, ensure it is monitored by a SOC for automated message generation.
• Credential Protection: Enforce Zero Trust architectures and multi-factor authentication (MFA) across all financial and administrative portals to mitigate the impact of stolen credentials.
• Attachment Filtering: Configure mail gateways to block or sandbox executable attachments and script files commonly used by the SORVEPOTEL worm to propagate within the local network.
• User Training: Educate employees on the risks of clicking links in messages, even those coming from trusted internal colleagues, as they may be the result of automated worm activity after a compromised account.

By focusing on these areas, organizations can significantly reduce their risk profile against this highly targeted Brazilian banking trojan and prevent the Supply Chain Attack scenarios often associated with worm-like malware.