TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

Key Points:

• A new Brazilian banking trojan, TCLBANKER, is spreading via WhatsApp and Outlook, leveraging advanced anti-analysis techniques and self-propagation modules.
• The trojan targets 59 Brazilian banking and fintech domains, using a full-screen overlay for social engineering and credential harvesting, while also hijacking victims' WhatsApp sessions to distribute malware to contacts.
• Immediate actions include monitoring for suspicious email activity, implementing endpoint detection and response (EDR) solutions, and educating users about phishing tactics.

Technical Details: TCLBANKER utilizes DLL sideloading against a legitimate Logitech application to load its malicious payload. It employs environment checks to evade detection in sandbox environments and establishes a WebSocket C2 session upon navigating to targeted domains.

MITRE ATT&CK Techniques:

• T1566.001 - Phishing: Spearphishing Attachment (Initial Access)
• T1203 - Exploit Public-Facing Application (Initial Access)
• T1055.001 - Process Injection: DLL Injection (Execution)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1046 - Network Service Discovery (Discovery)
• T1070.001 - Indicator Removal on Host: File Deletion (Defense Evasion)

IOCs Mentioned:

• Domains: campanha1-api.ef971a42.workers[.]dev, mxtestacionamentos[.]com, arquivos-omie[.]com
• SHA256 Hashes: 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626, 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059

This summary highlights the significant threat posed by TCLBANKER, emphasizing the need for proactive measures against its sophisticated tactics.