TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

Elastic Security Labs identified TCLBANKER, a previously undocumented Brazilian banking trojan targeting 59 financial institutions, fintech services, and cryptocurrency platforms. Threat hunters track the malware family as REF3076.

TCLBANKER represents a significant evolution of the Maverick banking trojan. The malware spreads through a worm component called SORVEPOTEL, which propagates via WhatsApp and Outlook. This dual-channel distribution strategy dramatically increases infection velocity across both consumer and enterprise messaging systems.

The trojan focuses on Latin American financial targets, with particular emphasis on Brazilian banking platforms. Its capability to compromise 59 distinct financial services indicates broad attack surface coverage across retail banking, digital payment providers, and cryptocurrency exchanges.

TCLBANKER employs standard banking trojan functionality. Once installed, it can steal credentials, intercept transactions, and capture sensitive financial data. The integration with WhatsApp and Outlook worms means infected systems automatically propagate the malware to contacts and email recipients without user interaction.

The worm component SORVEPOTEL operates independently, turning compromised machines into distribution nodes. This creates exponential infection chains where each infected user becomes an unwilling vector for further spread.

Organizations using targeted financial platforms face elevated risk. End users in affected regions should exercise caution with unsolicited messages containing suspicious links or attachments from known contacts, as compromised accounts will send propagation attempts through normal communication channels.

The banking sector in Brazil and other Latin American countries requires immediate visibility into their networks for TCLBANKER indicators of compromise. Financial institutions should implement enhanced email and messaging security controls, particularly sandboxing capabilities for executable attachments.

THE BOTTOM LINE: TCLBANKER's combination of broad targeting, worm-based distribution, and evolution from established malware families positions it as a high-volume threat to financial users in