TCLBANKER Trojan Spreads via WhatsApp to Target 59 Financial Platforms

Elastic Security Labs has uncovered TCLBANKER, a sophisticated banking trojan that weaponizes WhatsApp Web and Microsoft Outlook to self-propagate across thousands of contacts — turning every infected employee into a distribution node targeting financial institutions. For banks operating under SAMA oversight, where WhatsApp serves as a de facto business communication channel, this threat demands immediate attention.

How TCLBANKER Infiltrates Banking Environments

Tracked under the campaign designation REF3076, TCLBANKER represents a significant evolution of the Maverick malware family previously attributed to the Water Saci threat cluster by Trend Micro. The attack chain begins with a loader featuring robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component designed for mass propagation.

The loader first verifies the target system's locale, then establishes persistence through Windows scheduled tasks. Once embedded, TCLBANKER activates a URL monitoring engine that extracts the current address from the victim's foreground browser window and matches it against a hardcoded list of 59 banking, fintech, and cryptocurrency platforms. When a match is found, the trojan deploys its credential harvesting sequence.

What makes TCLBANKER particularly dangerous is its self-update mechanism. The malware can pull fresh configurations and updated target lists from its command-and-control infrastructure, meaning the current list of 59 platforms can expand to include Saudi banking portals at any point.

WhatsApp as a Weaponized Distribution Channel

The worm module hijacks the victim's active WhatsApp Web session and Outlook email account to distribute trojanized installers. Each compromised machine can spam up to 3,000 contacts with malicious payloads — all sent from the victim's legitimate accounts through trusted infrastructure. Recipients see messages from a known colleague, not a suspicious external sender.

This propagation model exploits the implicit trust within professional networks. In Saudi financial institutions, WhatsApp groups frequently include compliance officers, treasury teams, relationship managers, and even external auditors. A single infection in a bank's operations team could cascade across the entire institution and its third-party ecosystem within hours.

The worm leverages SORVEPOTEL, a component previously associated with the Maverick campaign, to automate the distribution process. It reads contact lists, selects targets, and sends messages with embedded download links — all without any visible indication to the compromised user.

Credential Harvesting Through Full-Screen Overlays

TCLBANKER employs a Windows Presentation Foundation (WPF)-based overlay framework that renders full-screen fake login pages on top of legitimate banking sessions. These overlays include credential harvesting prompts, vishing wait screens disguised as bank verification calls, fake progress bars simulating transaction processing, and bogus Windows Update screens to buy time while data is exfiltrated.

Critically, the overlay engine includes anti-screenshot functionality — it hides itself from screen capture tools, remote desktop sessions, and screen-sharing applications. This means security teams running remote monitoring or employees attempting to screenshot suspicious behavior will capture only the legitimate banking page underneath, not the overlay stealing their credentials.

Direct Implications for SAMA-Regulated Institutions

While TCLBANKER's current targeting focuses on Brazilian financial institutions, the threat model maps directly to risks facing Saudi banks. WhatsApp is deeply embedded in Saudi business culture — from internal coordination to client communication. SAMA's Cyber Security Framework (CSCC) explicitly requires controls around messaging channel security under Domain 3 (Cyber Security Operations) and Domain 4 (Third Party Cyber Security).

The NCA Essential Cybersecurity Controls (ECC) further mandate endpoint protection measures that would detect TCLBANKER's persistence mechanisms. Specifically, ECC-2:3 (Malware Protection) and ECC-2:5 (Email and Web Security) require detection capabilities for exactly this class of threat — malware that spreads through legitimate communication channels and harvests credentials via social engineering overlays.

The trojan's ability to propagate through third-party contacts also triggers SAMA CSCC Domain 4 requirements. If a vendor or partner's infected machine distributes TCLBANKER to bank employees via a trusted WhatsApp group, the bank's third-party risk management controls are directly tested.

Defensive Recommendations for Security Teams

1. Restrict WhatsApp Web on corporate endpoints. Enforce browser-based application control policies that prevent WhatsApp Web from executing in corporate browser profiles. If business use is required, isolate it in a separate browser container with no access to corporate credentials or file systems.
2. Deploy behavioral EDR rules for WPF overlay abuse. Configure endpoint detection and response solutions to alert on WPF applications creating full-screen topmost windows that overlay known banking domains. TCLBANKER's overlay engine has a distinct behavioral signature that differs from legitimate WPF applications.
3. Monitor scheduled task creation. TCLBANKER establishes persistence via Windows Task Scheduler. Implement detection rules for new scheduled tasks created by non-standard parent processes, particularly those executing from temporary directories or user profile folders.
4. Enforce URL monitoring at the proxy layer. Deploy web proxy rules that detect and block connections to known TCLBANKER command-and-control infrastructure. Cross-reference IoCs published by Elastic Security Labs in their REF3076 advisory.
5. Audit third-party communication channels. Conduct a risk assessment of all messaging platforms used for business communication, mapping them against SAMA CSCC Domain 4 requirements. Document which channels handle sensitive financial data and enforce appropriate controls.
6. Simulate WhatsApp-based phishing in awareness training. Update security awareness programs to include scenarios where malicious links arrive via WhatsApp from known contacts. Staff should understand that compromised accounts can send malware through trusted channels.

Conclusion

TCLBANKER represents a concerning evolution in banking trojans — one that turns everyday communication tools into attack vectors. Although currently focused on Brazilian targets, the malware's modular architecture and self-update capability mean geographic expansion is a matter of configuration, not development. Saudi financial institutions that rely heavily on WhatsApp for business coordination face elevated risk if this threat pivots toward the Middle East.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that evaluates your endpoint security, messaging channel controls, and third-party risk posture against threats like TCLBANKER.