TCLBanker turns WhatsApp Web and Outlook into a banking-trojan worm

Elastic Security Labs has published research on a new Brazilian banking trojan it calls TCLBanker — assessed as “a major evolution of the older Maverick/Sorvepotel malware family”. The novel piece is not the banking-overlay code, which is sophisticated but recognisable as LATAM-banking-trojan craft. The novel piece is how it propagates. TCLBanker uses both WhatsApp Web and Microsoft Outlook as worm-style spreading channels, taking the victim’s authenticated sessions in each and weaponising them to mail malicious installers to everyone in the address book.

Initial access is a trojanised MSI installer for Logitech AI Prompt Builder. Once installed, the malicious DLL is side-loaded into the legitimate, signed Logitech application — which means the running process is the genuine vendor binary, with the malicious code injected into its address space. From an EDR perspective tuned to inherit trust from signed parent processes, that is a meaningful piece of cover.

The banking-trojan side of the malware does what serious LATAM banking malware has done for half a decade, only with better engineering. A monitoring routine watches the active browser address bar every second using the Windows UI Automation API. When the victim navigates to one of 59 targeted banking, fintech or cryptocurrency platforms, TCLBanker opens a WebSocket session to its command-and-control server and hands operator control to the attacker in real time. From there, an extensive WPF-based overlay system can paint fake credential prompts, fake PIN keypads, fake phone-number entry forms, fake “bank support” waiting screens and fake Windows Update screens directly over the real application. There are also “cutout” overlays that mask portions of the genuine app while leaving the rest visible — a more deceptive approach than full-screen fakes. Task Manager is suppressed during active operator sessions.

The self-spreading code is the bit defenders need to internalise. For WhatsApp, the malware reads the Chromium WhatsApp Web IndexedDB session data from the victim’s browser profile, then launches a hidden Chromium instance that uses those cookies to hijack the account. It harvests contacts, filters for Brazilian phone numbers, and spams them with download links pointing back to the trojanised installer. For Outlook, it abuses COM automation — the same scripting interface IT teams have used legitimately for two decades — to launch the desktop client, enumerate contacts and recent senders, and send phishing emails from the victim’s own account. A message about a new banking trojan delivered from a colleague’s real Outlook address is going to land very differently from one delivered through a generic spoof.

Anti-analysis is unusually thorough. Payload decryption is keyed to the victim’s environment — timezone, keyboard layout, locale — so the malware fails to unpack in sandboxes and reverse-engineering setups. A persistent watchdog thread hunts continuously for x64dbg, IDA, dnSpy, Frida, ProcessHacker, Ghidra and de4dot. Elastic notes that some of the code artefacts suggest AI may have been used in development.

Three things worth pulling out for defenders. First, WhatsApp Web is now a banking-malware propagation channel on corporate-managed endpoints. Plenty of organisations have a policy that says “WhatsApp is personal, leave it alone” — that policy does not survive contact with a worm that uses WhatsApp as its primary spreading mechanism. The argument for either blocking WhatsApp Web at the browser or moving the conversation about messengers into formal IT scope just got materially stronger.

Second, signed-parent-process trust is the side-loading payoff. The malicious code runs inside the address space of a legitimate, signed Logitech binary. EDR rules that lean on parent-process reputation will not light up. Worth hunting across the estate for known DLL-sideloading targets — Logitech, Acrobat, OneDrive, Defender — and tightening behavioural rules on what those processes are allowed to load.

Third, Brazilian today, regional tomorrow. The Maverick/Sorvepotel/Grandoreiro lineage routinely broadens beyond Brazil into Spain, Mexico and Portugal, and from there into Iberian-language customer bases in Western Europe. The locale check is country-specific. The WhatsApp and Outlook self-spread is not.