TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

SOC Prime Team

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The report examines TCLBANKER, a newly identified Brazilian banking trojan that abuses a signed Logitech installer to deliver a malicious .NET payload. The malware includes a banking component that uses WPF overlays to target financial sessions, along with two worm-like modules that abuse WhatsApp Web and Microsoft Outlook for propagation. Command-and-control communication is handled through a Cloudflare Workers WebSocket infrastructure, and the malware incorporates a wide range of anti-analysis techniques to frustrate detection and investigation.

Investigation

Elastic Security Labs analyzed the malicious MSI package, the DLL sideloading method, the .NET loader, and both propagation modules. Researchers recovered command-and-control URLs, API keys, scheduled task persistence details, and a list of 59 Brazilian banking domains targeted by the malware. Their analysis also documented anti-debugging logic, sandbox evasion methods, and watchdog behavior designed to keep the malware active and resilient.

Mitigation

Defenders should block execution of untrusted installers, monitor for DLL sideloading involving LogiAiPromptBuilder.exe, and apply least-privilege controls to Outlook and browser environments. Detection content should also cover the scheduled task RuntimeOptimizeService. Network defenses should block the identified Cloudflare Workers domains and the IP address 191.96.224.96.

Response

If TCLBANKER is detected, isolate the affected endpoint immediately, terminate the malicious processes, remove the scheduled task, and delete the %LocalAppData%\LogiAI directory. Investigators should preserve forensic evidence such as DLL hashes and command-and-control traffic for intelligence sharing. Compromised Outlook and WhatsApp credentials should be reset, and the environment should be monitored for additional propagation attempts.

"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef persistence fill:#ccccff classDef c2 fill:#ffdd99 %% Node Definitions Section user_execution["Action – T1204.002 User Execution Victim runs malicious MSI after extracting from ZIP"] class user_execution action delivery_zip["Action – T1546.016 Event Triggered Execution: Installer Packages Malicious MSI delivered inside a ZIP archive using a signed Logitech installer"] class delivery_zip action malicious_msi["Malware – Name: Malicious MSI Description: Embedded in ZIP and executed by signed installer"] class malicious_msi malware signed_logitech_installer["Tool – Name: Logitech Logi AI Prompt Builder installer (signed)"] class signed_logitech_installer tool logiai_exe["Process – Name: LogiAiPromptBuilder.exe"] class logiai_exe process sideloader_dll["Malware – Name: screen_retriever_plugin.dll (masquerades as Flutter plugin)"] class sideloader_dll malware flutter_framework["Tool – Name: Flutter framework (trusted developer utility)"] class flutter_framework tool dotnet_reactor["Tool – Name: .NET Reactor packer"] class dotnet_reactor tool polymorphic_payload["Malware – Name: Encrypted payload with AESu2011256 Environmentu2011gated key provides polymorphic behavior"] class polymorphic_payload malware env_evasion["Action – T1497.002 Virtualization/Sandbox Evasion User activity, debugger, virtualization and region checks"] class env_evasion action locale_check["Action – T1614.001 System Location Discovery Verifies LCID, keyboard layout, timezone for ptu2011BR locale"] class locale_check action scheduled_task["Persistence – T1053 Scheduled Task Creates hidden task RuntimeOptimizeService at logon"] class scheduled_task persistence screen_capture["Action – T1113 Screen Capture Captures fullu2011screen PNG per monitor for overlay and streaming"] class screen_capture action keylogging["Action – T1056.001 Input Capture: Keylogging Installs lowu2011level WH_KEYBOARD_LL hook"] class keylogging action outlook_bot["Malware – Name: Outlook COM automation bot"] class outlook_bot malware phishing_action["Action – T1566 Phishing Sends phishing emails from victim Outlook account"] class phishing_action action email_bombing["Action – T1667 Email Bombing Highu2011volume phishing to harvested contacts"] class email_bombing action network_logon_script["Action – T1037.003 Network Logon Script Establishes persistent WebSocket connection"] class network_logon_script action websocket_c2["Command and Control – Endpoint: wss://mxtestacionamentos.com/ws Auth: HMACu2011SHA256"] class websocket_c2 c2 %% Connections Section user_execution –>|triggers| delivery_zip delivery_zip –>|contains| malicious_msi malicious_msi –>|executed by| signed_logitech_installer signed_logitech_installer –>|launches| logiai_exe logiai_exe –>|loads| sideloader_dll sideloader_dll –>|uses| flutter_framework sideloader_dll –>|packed with| dotnet_reactor sideloader_dll –>|contains| polymorphic_payload polymorphic_payload –>|evades via| env_evasion env_evasion –>|includes| locale_check logiai_exe –>|creates| scheduled_task logiai_exe –>|captures| screen_capture logiai_exe –>|keylogs| keylogging logiai_exe –>|runs| outlook_bot outlook_bot –>|performs| phishing_action outlook_bot –>|performs| email_bombing logiai_exe –>|establishes| network_logon_script network_logon_script –>|connects to| websocket_c2 "

Attack Flow

Attack Narrative & Commands:
1. Stage the malicious DLL – the attacker places a malicious DLL (evil.dll) in the same directory as the legitimate LogiAiPromptBuilder.exe. The DLL is unsigned and contains the banking‑trojan payload.
2. Execute the legitimate binary – the attacker runs LogiAiPromptBuilder.exe directly from Explorer (or a PowerShell session), causing the process to load the malicious DLL via the OS’s DLL search order (side‑loading).
3. Resulting telemetry – Sysmon/Event ID 1 logs a process creation where Image ends with logiaipromptbuilder.exe and ParentImage ends with explorer.exe. Because the parent is not in the exclusion list, the Sigma rule should fire.

Regression Test Script:

# -------------------------------------------------------------------------
# TCLBANKER DLL sideloading simulation – PowerShell
# -------------------------------------------------------------------------
# 1. Define paths (adjust if running on a different workstation)
$logiPath = "$env:ProgramFilesLogitechLogiAiPromptBuilder.exe"
$dllPath  = "$env:ProgramFilesLogitechevil.dll"

# 2. Create a dummy malicious DLL (for demo purposes, just a copy of Notepad)
Write-Host "[+] Staging malicious DLL (simulated payload)..."
Copy-Item -Path "$env:SystemRootSystem32notepad.exe" -Destination $dllPath -Force

# 3. Launch the legitimate binary (parent will be the current PowerShell process)
Write-Host "[+] Executing LogiAiPromptBuilder.exe to trigger side‑loading..."
Start-Process -FilePath $logiPath -PassThru | Wait-Process

# 4. Optional: Verify the process was logged (requires Sysmon/ELK access)
Write-Host "[+] Simulation complete. Verify SIEM for detection."

Cleanup Commands:

# -------------------------------------------------------------------------
# Cleanup for TCLBANKER simulation
# -------------------------------------------------------------------------
$dllPath = "$env:ProgramFilesLogitechevil.dll"
if (Test-Path $dllPath) {
    Write-Host "[+] Removing staged malicious DLL..."
    Remove-Item -Path $dllPath -Force
}
Write-Host "[+] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free