A new malware campaign is targeting 59 banking, fintech, and cryptocurrency platforms, using popular applications like WhatsApp and Outlook to spread.
The Trojan, identified as TCLBanker, infects Windows systems through tampered Microsoft installation packages, according to Elastic Security Labs.
Researchers say TCLBanker is a major evolution of the older Maverick and Sorvepotel malware family. The malware includes worm modules that allow it to spread automatically through WhatsApp and Microsoft Outlook.
Once a targeted website is opened, the malware establishes a WebSocket connection with its command-and-control server, enabling remote control operations. Capabilities include live screen streaming, screenshots, keylogging, clipboard hijacking, shell command execution, file system access, and remote mouse and keyboard control.
TCLBanker uses fake overlay screens to steal credentials, PINs, phone numbers, and other sensitive information. These overlays mimic credential prompts, PIN keypads, bank support waiting screens, Windows Update interfaces, and fake progress screens.
Elastic Security Labs notes the malware constantly monitors the victim's browser address bar, checking every second for visits to any of its 59 targeted platforms. The campaign appears to be centered on apps in Brazil.