TCLBanker Malware Targets Fintech via WhatsApp and Outlook

Overview of the TCLBanker Campaign

A sophisticated new banking trojan dubbed TCLBanker has been identified targeting dozens of financial and cryptocurrency platforms. According to Bleeping Computer, the malware is currently being distributed through a trojanized MSI installer for ‘Logitech AI Prompt Builder,’ a legitimate productivity tool. Once installed, TCLBanker employs worm-like capabilities to spread itself to other systems via WhatsApp and Microsoft Outlook, making it a significant threat to corporate environments where these communication tools are ubiquitous.

While this campaign appears to focus heavily on South American users, the infrastructure and TTP employed by the attackers suggest a global potential for impact. By mimicking legitimate software, the attackers bypass traditional user skepticism, relying on the brand recognition of companies like Logitech to facilitate the initial compromise. This threat does not rely on a known CVE for initial entry, instead utilizing social engineering and Phishing to trick users into executing a malicious installer.

Analysis of the Trojanized Logitech AI Prompt Builder Installer

The infection chain begins when a victim downloads a malicious MSI file advertised as the Logitech AI Prompt Builder. Unlike standard malware delivery mechanisms that might use macro-enabled documents, this trojanized Logitech AI Prompt Builder installer provides a veneer of legitimacy. Technical analysis reveals that the installer is written in AutoIt, a scripting language frequently used by malware authors to automate tasks and evade basic signature-based detection.

Upon execution, the malware establishes persistence and connects to its C2 server to receive instructions. Its primary objective is the theft of financial credentials. It specifically monitors for activity related to 59 different banking, fintech, and cryptocurrency platforms. When a user navigates to a targeted site, the malware initiates overlay attacks—transparent windows that mimic the legitimate login interface of the bank—to capture usernames, passwords, and two-factor authentication (2FA) codes in real-time.

Mechanism of Self-Propagation and Data Exfiltration

What distinguishes TCLBanker from standard banking trojans is its automated propagation module. Once a system is infected, the malware scans for the presence of the WhatsApp and Outlook desktop applications. It then uses the victim’s own account to send malicious links or files to their contact list. This lateral spread within an organization or among trusted contacts significantly increases the success rate of the campaign, as recipients are more likely to trust a file sent by a known colleague or friend.

Detecting and Preventing WhatsApp and Outlook Malware Propagation

Security teams must focus on identifying the specific behaviors associated with this threat. To understand how to detect TCLBanker malware infection, SOC analysts should look for unauthorized AutoIt scripts executing from temporary directories or the presence of suspicious MSI installers that do not match known organizational hash baselines. Furthermore, SIEM alerts should be configured to flag unusual spikes in outbound messaging activity from desktop messaging clients, which may indicate an active worm-like propagation event.

In addition to propagation, TCLBanker exfiltrates comprehensive system metadata, including IP addresses, OS versions, and list of installed security software. This allows the attackers to tailor further stages of the attack or sell the access to other APT groups or ransomware operators.

Mitigation and Defense Strategies

Defenders should prioritize a multi-layered approach to preventing WhatsApp and Outlook malware propagation and neutralizing the TCLBanker threat. Because the malware relies on local execution of an MSI file, application whitelisting and strict software execution policies are the most effective barriers.

• Software Verification: Only allow the installation of software from verified, internal repositories. Implement hashes-based blocking for the known malicious Logitech AI installers.
• Endpoint Protection: Deploy EDR solutions capable of behavioral monitoring. TCLBanker’s use of AutoIt and its overlay injection techniques often trigger heuristic alerts based on the MITRE ATT&CK framework.
• Communication Security: Educate employees to remain vigilant even when receiving files from trusted contacts via WhatsApp or Outlook. Any unexpected file, especially an installer or executable, should be verified via a secondary channel.
• Network Segmentation: Limit the ability of infected endpoints to communicate with known malicious C2 infrastructures by utilizing threat intelligence feeds that track TCLBanker’s evolving domain list.