Attack Chain

1. The victim downloads and executes a trojanized MSI installer for Logitech AI Prompt Builder.
2. The installer performs DLL side-loading to inject the TCLBanker malware into the legitimate Logitech application process.
3. TCLBanker monitors the browser address bar using Windows UI Automation APIs, searching for URLs matching its 59 targeted financial platforms.
4. When a targeted website is accessed, TCLBanker establishes a WebSocket session with its command-and-control (C2) server, sending victim and system information.
5. The C2 operator gains remote control capabilities, including live screen streaming, screenshot capturing, keylogging, clipboard hijacking, shell command execution, and file system access.
6. TCLBanker uses a WPF-based overlay system to display fake credential prompts, PIN keypads, and other deceptive overlays to steal sensitive information.
7. The malware hijacks the victim’s WhatsApp account by searching for authenticated WhatsApp Web IndexedDB data in Chromium browser profiles and launching a hidden Chromium instance to send spam messages to contacts, filtering for Brazilian numbers.
8. TCLBanker abuses Microsoft Outlook through COM automation to harvest contacts and sender addresses, sending phishing emails from the victim’s email account to further spread the malware.

Impact

TCLBanker enables attackers to steal banking credentials, cryptocurrency wallet information, and other sensitive data from victims. It also allows for remote control of infected systems, enabling attackers to perform unauthorized actions, potentially leading to financial loss, identity theft, and further propagation of the malware. The self-spreading capabilities via WhatsApp and Outlook significantly increase the malware’s reach, potentially impacting a large number of individuals and organizations, especially those operating in Brazil.

Recommendation

• Monitor process creations for suspicious instances of msiexec.exe installing software from untrusted sources (see Sigma rule: “Detect Suspicious MSI Installer Execution”).
• Enable Sysmon process creation logging to detect DLL side-loading activity from legitimate applications like the Logitech AI Prompt Builder process, potentially indicating TCLBanker infection.
• Monitor network connections for WebSocket traffic originating from systems running legitimate applications that should not be communicating over websockets to external addresses.
• Implement network detections for outbound email traffic containing suspicious attachments or links originating from user accounts that have not recently logged into Outlook (see Sigma rule “Detect Outlook COM Hijacking”).