New TCLBanker Banking Trojan Self‑Spreads via WhatsApp and Outlook
What Happened — Researchers at Elastic Security Labs identified a new banking trojan, TCLBanker, that targets 59 banking, fintech and cryptocurrency services. The payload is delivered through a trojanized Logitech AI Prompt Builder MSI installer and includes worm‑like modules that automatically propagate via WhatsApp contacts and Outlook address books.
Why It Matters for TPRM —
- The malware can compromise financial credentials and transaction data from a wide range of fintech vendors.
- Its self‑spreading capability bypasses traditional email/IM filtering, increasing the attack surface for third‑party partners.
- The use of DLL side‑loading and sandbox‑evasion techniques makes detection difficult for many endpoint solutions.
Who Is Affected — Financial services (banks, fintech platforms, crypto exchanges), their downstream vendors, and any organization that allows employees to use WhatsApp or Outlook for business communications.
Recommended Actions —
- Review contracts with any third‑party providers that supply or support Logitech software, messaging, or email tools.
- Verify that endpoint detection and response (EDR) solutions can detect DLL side‑loading and sandbox‑evasion behaviors.
- Enforce strict application allow‑lists and disable automatic execution of MSI installers from untrusted sources.
Technical Notes — The trojan is delivered via a malicious MSI that side‑loads a legitimate Logitech DLL, evading many AV signatures. It spreads through WhatsApp and Outlook by harvesting contact lists and sending the malicious installer to them. Capabilities include keylogging, screen capture, clipboard hijacking, remote command execution, and credential‑stealing overlays. No public CVE is associated with this campaign. Source: BleepingComputer