Overview of the Cyber Threat
A recent security analysis has unveiled a concerning cyber threat as hackers are now focusing their efforts on 59 online banking, fintech, and cryptocurrency services. This malicious activity is being disseminated through widely-used applications like WhatsApp and Microsoft Outlook. The culprit behind these attacks is a trojan named TCLBanker, which infiltrates Windows systems via compromised Microsoft installation files, according to findings shared by BleepingComputer.
Origins and Functionality of TCLBanker
The origins of TCLBanker can be traced to advancements in older malware variants, specifically recognized as part of the Maverick and Sorvepotel families. The research conducted by Elastic Security Labs reveals that the virus assesses infected machines for specific parameters, such as the timezone, keyboard settings, and locale.
Engineered with self-propagation features, TCLBanker possesses worm-like attributes that enable it to automatically spread through messaging platforms like WhatsApp and email programs such as Outlook. Once the malware detects that a user is accessing targeted platforms, it establishes a WebSocket connection with its command-and-control infrastructure, allowing for extensive remote control actions.
Capabilities of TCLBanker
The range of capabilities available to the malware’s operators is extensive, allowing them to:
- Perform live screen streaming
- Capture screenshots
- Log keystrokes
- Intercept clipboard data
- Execute shell commands
- Access the file system
- Gain remote control over mice and keyboards
In a more deceptive tactic, TCLBanker employs fake overlays to harvest sensitive information, including user credentials, personal identification numbers (PINs), phone numbers, and other private data. These fraudulent overlays can manifest in various forms such as:
- Fake login prompts
- PIN entry screens
- Support waiting pages
- Simulated Windows Update alerts
- Counterfeit progress indicators
Targeted Regions
Disturbingly, the intelligence report indicates that the primary focus of TCLBanker appears to be on users in Brazil, where the malware diligently monitors browser activity by tracking the address bar every second to identify visits to its designated targets.
