Full Report
Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that's capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076. The malware family is assessed to be a major update of the Maverick, which is known to leverage a worm called SORVEPOTEL to spread via
Analysis Summary
# Tool/Technique: TCLBANKER (REF3076)
## Overview
TCLBANKER is a sophisticated Brazilian banking trojan and a major evolution of the "Maverick" malware family. It is designed to target 59 different financial, fintech, and cryptocurrency platforms. Its primary goal is financial theft through credential harvesting, social engineering, and remote system control, utilizing a secondary worm component to spread via social media and email.
## Technical Details
- **Type**: Malware family (Banking Trojan)
- **Platform**: Windows (Targeting Brazilian Portuguese speakers)
- **Capabilities**: Anti-analysis, DLL side-loading, persistence, screen/keyboard manipulation, UI Automation monitoring, and automated self-propagation.
- **First Seen**: Reported May 2026 (Assessed as an update to 2025 Maverick variants).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (via WhatsApp/Outlook)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job: Scheduled Task
- **TA0005 - Defense Evasion**
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1497 - Virtualization/Sandbox Evasion
- T1127 - Trusted Developer Utilities Proxy Execution (Logi AI Prompt Builder)
- T1562.001 - Impair Defenses: Disable or Modify Tools (ETW disabling/Un-hooking ntdll.dll)
- **TA0007 - Discovery**
- T1010 - Application Window Discovery
- T1082 - System Information Discovery
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1056.001 - Input Capture: Keylogging
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/WebSockets)
## Functionality
### Core Capabilities
- **DLL Side-Loading**: Abuses a signed Logitech executable (`logiaipromptbuilder.exe`) to load the malicious `screen_retriever_plugin.dll`.
- **Advanced Environment Fingerprinting**: Generates system-specific hashes based on disk info and language. If debugging or virtualization is detected, the decryption key for the final payload fails to generate.
- **Financial Monitoring**: Uses Windows UI Automation to scrape URLs from active browser address bars (Chrome, Firefox, Edge, etc.) to detect when a victim visits a targeted bank.
- **Remote Access (RAT)**: Features full C2 integration for shell commands, file management, and process enumeration.
### Advanced Features
- **Watchdog Subsystem**: Continuously scans for AV, sandboxes, and reverse engineering tools (debuggers/disassemblers).
- **Anti-Telemetry**: Disables Event Tracing for Windows (ETW) and replaces `ntdll.dll` in memory to remove security software hooks.
- **WPF Overlay Framework**: Displays high-quality, full-screen fake overlays (Windows Updates, credential prompts) that are specifically coded to be invisible to legitimate screen-sharing/capture tools.
- **Worm Module (SORVEPOTEL)**:
- **WhatsApp Web**: Uses WPPConnect to hijack browser sessions and message contacts.
- **Outlook Bot**: Abuses the local Outlook client to blast phishing emails.
## Indicators of Compromise
- **File Hashes**:
- Malicious DLL: `screen_retriever_plugin.dll` (Specific hashes not provided in text)
- **File Names**:
- `logiaipromptbuilder.exe` (Legitimate but abused)
- `tclloader.exe`
- `screen_retriever_plugin.dll`
- **Network Indicators**:
- Communication via HTTP POST and WebSockets (C2 domains are dynamic; examples defanged: `hxxp[://]example-c2[.]com`)
- **Behavioral Indicators**:
- Execution of MSI installers bundled in ZIP files.
- Creation of Scheduled Tasks for persistence.
- Unexpected network connections from signed Logitech binaries.
## Associated Threat Actors
- **Water Saci** (as categorized by Trend Micro)
- **REF3076** (Elastic Security Labs tracking moniker)
## Detection Methods
- **Behavioral Detection**: Monitor for signed applications (like Logi AI) loading unsigned DLLs from unusual directories.
- **System Monitoring**: Watch for the disabling of ETW providers or the overwriting of `ntdll.dll` in memory.
- **Network Defense**: Alert on WebSocket connections originating from common productivity apps to unknown external IPs.
- **UI Automation**: Monitor for unauthorized processes attempting to use UI Automation APIs to read browser address bars.
## Mitigation Strategies
- **Application Whitelisting**: Restrict execution of unapproved MSI files and prevent DLL loading from user-writable directories (e.g., AppData).
- **Hardening**: Use EDR solutions that can detect and prevent usermode hook bypassing.
- **User Training**: Educate users on the risks of unsolicited links received via WhatsApp or Outlook, even from known contacts.
- **Language-based Policies**: (For global orgs) Monitor for systems where the language is unexpectedly set to Brazilian Portuguese in non-native environments.
## Related Tools/Techniques
- **Maverick**: The predecessor malware family.
- **SORVEPOTEL**: The worm component used for propagation.
- **WPPConnect**: Open-source project used for WhatsApp automation.
- **Coyote Malware**: Another Brazilian trojan using similar UI Automation techniques.