TCLBANKER Banking Trojan Targets 59 Financial Platforms via WhatsApp, Outlook Worms

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalware
TCLBANKER Banking Trojan Targets 59 Financial Platforms via WhatsApp, Outlook Worms

The Hacker News reports on a newly identified Brazilian banking trojan, TCLBANKER, which is actively targeting 59 distinct banking, fintech, and cryptocurrency platforms. Elastic Security Labs is tracking this activity under the moniker REF3076. This isn’t some minor variant; The Hacker News indicates TCLBANKER is a significant evolution of the Maverick malware family.

What makes TCLBANKER particularly nasty is its propagation method. According to The Hacker News, it leverages a worm, previously known as SORVEPOTEL, to spread aggressively. This worm utilizes both WhatsApp and Outlook, turning user communication channels into infection vectors. This means the threat isn’t just about direct compromises but also about lateral movement through trusted social and business platforms.

This isn’t just a Brazilian problem. While the origin is noted, banking trojans like this quickly go global, especially when they hit cryptocurrency platforms. Defenders need to recognize that the attacker’s calculus here is pure financial gain, and they’re willing to weaponize everyday communication tools to get it. This puts the onus on user education and robust endpoint protection.

What This Means For You

  • If your organization operates in banking, fintech, or cryptocurrency, you are a direct target. Immediately reinforce user awareness campaigns against suspicious links and attachments, particularly those arriving via WhatsApp and Outlook. Review your endpoint detection and response (EDR) telemetry for any signs of SORVEPOTEL worm activity or unusual process execution related to communication apps. This isn't a future threat; it's active now.

Related ATT&CK Techniques

T1189 Drive-by Compromise Initial Access T1071.001 Web Protocols Command and Control T1566.001 Phishing: Spearphishing Attachment Initial Access

Indicators of Compromise

IDTypeIndicator
REF3076 Banking Trojan TCLBANKER malware family
REF3076 Malware Spreading Mechanism WhatsApp worm
REF3076 Malware Spreading Mechanism Outlook worm
REF3076 Malware Family Maverick (predecessor to TCLBANKER)
REF3076 Malware Component SORVEPOTEL worm

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor elastic.co Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Elastic Security Labs All breaches, IOCs & vendor exposure

Related coverage on Elastic Security Labs

Schumer Demands DHS AI Cyber Plan for State, Local Governments

Senate Minority Leader Chuck Schumer has pressed the Department of Homeland Security (DHS) for an urgent plan to coordinate with state, local, tribal, and territorial...

threat-intelpolicygovernmentvulnerabilitydata-breachai-securitytools
/SCW Vulnerability Desk /HIGH /⚑ 3 IOCs

NVIDIA GeForce NOW Data Breach Impacts Armenian Users

NVIDIA has confirmed a data breach affecting its GeForce NOW cloud gaming service. BleepingComputer reports that NVIDIA clarified the incident is limited to users in...

threat-inteldata-breachmalware
/SCW Research /HIGH /⚙ 3 Sigma

Fake Call History Apps Steal Payments After Millions of Play Store Downloads

The Hacker News reports a significant mobile fraud campaign involving 28 malicious apps on the official Google Play Store. These apps, collectively downloaded over 7.3...

threat-intelvulnerability
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma