TCLBANKER: A New Brazilian Banking Trojan Spreading via Email and Messaging Apps

In recent cybersecurity developments, a sophisticated banking trojan named TCLBANKER has emerged, targeting users of 59 different banking, fintech, and cryptocurrency platforms. Discovered by Elastic Security Labs under the identifier REF3076, this malware represents a major evolution of the earlier Maverick threat, employing a worm component called SORVEPOTEL to propagate through WhatsApp and Outlook. Below, we answer key questions about this new threat.

What is the TCLBANKER banking trojan?

TCLBANKER is a previously undocumented Brazilian banking trojan first flagged by Elastic Security Labs. It is designed to steal sensitive financial data from 59 distinct platforms, including traditional banks, fintech applications, and cryptocurrency services. The malware is a significant upgrade from the earlier Maverick trojan, meaning it incorporates advanced evasion techniques and a more modular structure. Its primary goal is credential theft and session hijacking, allowing attackers to drain accounts. The worm component, SORVEPOTEL, enables autonomous spread through infected devices, making it particularly dangerous for organizations that rely on WhatsApp and Outlook for communication.

TCLBANKER: A New Brazilian Banking Trojan Spreading via Email and Messaging Apps — Source: feeds.feedburner.com

How does TCLBANKER spread through WhatsApp and Outlook?

TCLBANKER uses a worm called SORVEPOTEL to propagate via WhatsApp and Outlook. On WhatsApp, the malware reads contact lists and sends infected links or attachments to trusted contacts, often masquerading as urgent messages like payment confirmations or security alerts. For Outlook, it leverages email harvesting to send phishing emails with embedded malicious content. The worm exploits the trust inherent in these communication channels, so recipients are more likely to click on seemingly legitimate messages from colleagues or friends. Once a user interacts, the trojan installs itself and repeats the process, creating a self-sustaining infection chain that can rapidly escalate across networks.

Which financial platforms does TCLBANKER target?

According to Elastic Security Labs, TCLBANKER targets 59 distinct banking, fintech, and cryptocurrency platforms. The list includes major Brazilian banks, global fintech apps like PayPal and digital wallets, and cryptocurrency exchanges such as Binance and Coinbase. The malware customizes its attack based on the platform — for instance, it overlays fake login screens on banking apps to capture credentials, or intercepts two-factor authentication tokens for crypto services. This broad targeting makes it a versatile threat for both individual users and financial institutions. Moreover, the trojan updates its target list dynamically, so new platforms can be added without requiring a complete recompilation of the malware.

How is TCLBANKER related to the Maverick trojan?

Security researchers at Elastic Security Labs assess that TCLBANKER is a major update of the older Maverick banking trojan. Maverick was known for its use of the SORVEPOTEL worm to spread via removable drives and network shares. TCLBANKER retains the same worm mechanism but evolves it to exploit modern communication tools like WhatsApp and Outlook. Additionally, the new variant improves its code obfuscation, anti-analysis techniques, and command-and-control infrastructure. Whereas Maverick primarily targeted Brazilian banks, TCLBANKER expands to fintech and cryptocurrency platforms globally. The lineage shows how malware families adapt to new technologies and user behavior over time. Tracking this evolution helps defenders anticipate future modifications.

Which security team identified TCLBANKER and what is REF3076?

The TCLBANKER trojan was identified and is being tracked by Elastic Security Labs under the moniker REF3076. Elastic Security Labs is a threat research team within Elastic, the company known for the Elastic Stack (ELK). They analyze emerging threats and provide intelligence to protect users. REF3076 is an internal tracking identifier used to organize investigations — it encompasses the discovery of TCLBANKER, analysis of its code, and monitoring of its spread. By tagging the activity as REF3076, researchers can share technical details and collaborate with other security vendors. The team noted that the malware’s Brazilian origin and use of Portuguese-language comments suggest a likely developer base in Brazil.

What makes TCLBANKER particularly dangerous for users?

TCLBANKER is especially dangerous because it combines three potent features: a broad target list, self-spreading via trusted communication channels, and advanced evasion techniques. Unlike many trojans that rely solely on phishing emails, TCLBANKER can propagate through both WhatsApp and Outlook instantly, reaching contacts who already trust the sender. This worm-like behavior means a single infection can compromise an entire organization’s messaging ecosystem. Moreover, the malware is constantly updated to bypass security software, using polymorphic code and encryption. Financial users may not realize their credentials are stolen until funds are transferred. The threat also targets cryptocurrency wallets, which are often irreversible, making recovery nearly impossible.

What preventive measures can users take against TCLBANKER?

To protect against TCLBANKER and similar threats, users should adopt a multi-layered approach. First, enable two-factor authentication (2FA) on all financial accounts, preferably using hardware tokens or authenticator apps instead of SMS. Second, be cautious with suspicious links in WhatsApp messages or Outlook emails, even from known contacts — verify via a separate channel. Third, keep operating systems, browsers, and security software updated. For organizations, implement email filtering and messaging gateway security to block malicious attachments and URLs. Additionally, restrict application permissions on mobile devices, as TCLBANKER often requests excessive access. Finally, educate employees and family members about social engineering tactics used by the SORVEPOTEL worm. Regular backups and incident response plans are also crucial.

Tags: