Banking Trojan “TCLBANKER” Exploits WhatsApp and Outlook Worms to Target 59 Financial Platforms
What Happened – Researchers identified a new Brazilian banking trojan, TCLBANKER, that spreads via malicious WhatsApp messages and an Outlook macro worm (SORVEPOTEL). The malware is capable of compromising credentials and stealing funds from 59 banking, fintech and cryptocurrency services.
Why It Matters for TPRM –
- The trojan targets a broad set of financial‑service providers, increasing third‑party exposure for any organization that integrates with these platforms.
- Its use of widely‑used communication tools (WhatsApp, Outlook) makes phishing attacks harder to detect and can affect employees across multiple business units.
- Successful infections can lead to credential theft, unauthorized transactions, and downstream supply‑chain risk for partners that rely on compromised accounts.
Who Is Affected – Financial services, fintech firms, cryptocurrency exchanges, payment processors, and any vendors that handle banking APIs or transaction processing.
Recommended Actions –
- Review all third‑party relationships that connect to the listed 59 platforms; verify that they enforce MFA and transaction monitoring.
- Harden email and messaging gateways: block suspicious macro attachments, enforce attachment sandboxing, and apply URL‑reputation filtering for WhatsApp links.
- Conduct phishing awareness training focused on WhatsApp and Outlook‑based lures.
- Deploy endpoint detection and response (EDR) capable of detecting the SORVEPOTEL worm behavior.
Technical Notes – The trojan is a major evolution of the Maverick family, leveraging the SORVEPOTEL worm to propagate through Outlook macro scripts. Distribution vectors include crafted WhatsApp messages containing malicious links that download the payload, and malicious Office documents that trigger the worm when opened. The malware harvests banking credentials, session cookies, and can initiate unauthorized transfers. Source: The Hacker News