There is a new Brazilian banking trojan, recently discovered in the wild called
TCLBANKER. So this banking trojan is another sophisticated malware, monitors the browsers of the victims targeting
59 Brazilian banking, fintech, and
cryptocurrency domains. Mode of attack is thru WhatsApp and Outlook
- TCLBANKER uses environment-gated payload decryption; incorrect environments, such as sandboxes, silently fail to decrypt the payload.
- A comprehensive watchdog subsystem continuously monitors for analysis tools, debuggers, instrumentation frameworks, and integrity violations throughout execution.
- The banking trojan targets 59 Brazilian banking, fintech, and cryptocurrency domains, activating a WebSocket C2 session when a victim navigates to a monitored site.
- A WPF-based full-screen overlay framework enables operator-driven social engineering, including credential harvesting, vishing wait screens, and fake Windows Update stalls, while hiding overlays from screen capture tools.
- Worm modules propagate the malware: a WhatsApp bot and an Outlook email bot.
- All C2 and distribution infrastructure is hosted on Cloudflare Workers under a single account, with developer artifacts (debug logging paths, test process names) and an incomplete phishing page, suggesting the campaign was identified in an early operational stage.
The loader component for TCLBANKER is packed with features, including anti-debugging features, anti-analysis checks, string encryption, system language checks, ETW patching, and a watchdog capability. While it has many features, it lacks depth and has references to older malware analysis tooling. It’s not entirely clear whether the developer used LLM-assisted workflows, but our team wouldn’t be surprised if that were the case.
Below is the list of targets, including cryptocurrency exchange.
## Group 0 — Banco do Brasil
| Domain | Institution |
|--------|-------------|
| `bancobrasil.com.br` | Banco do Brasil — main portal |
| `bb.com.br` | Banco do Brasil — short domain |
## Group 1 — Caixa Econômica Federal
| Domain | Institution |
|--------|-------------|
| `caixa.gov.br` | Caixa — main portal |
| `gerenciador.caixa.gov.br` | Caixa — business banking portal |
| `loginx.caixa.gov.br` | Caixa — authentication endpoint |
## Group 2 — Bradesco
| Domain | Institution |
|--------|-------------|
| `banco.bradesco` | Bradesco — main portal |
| `bradesco.com.br` | Bradesco — secondary domain |
| `cidadetran.bradesco` | Bradesco — digital banking |
| `ne12.bradesconetempresa.b.br` | Bradesco — corporate banking |
## Group 3 — Cryptocurrency Exchanges
| Domain | Institution |
|--------|-------------|
| `binance.com` | Binance — global crypto exchange |
| `mercadobitcoin.com.br` | Mercado Bitcoin — BR crypto exchange |
| `bitcointrade.com.br` | Bitcoin Trade — BR crypto exchange |
| `foxbit.com.br` | Foxbit — BR crypto exchange |
| `blockchain.com` | Blockchain.com — crypto wallet/exchange |
## Group 4 — Santander
| Domain | Institution |
|--------|-------------|
| `pf.santandernet.com.br` | Santander — personal banking |
| `pj.santandernetibe.com.br` | Santander — business banking |
## Group 5 — Itaú Unibanco
| Domain | Institution |
|--------|-------------|
| `itau.com.br` | Itaú Unibanco |
## Group 6 — Sicredi
| Domain | Institution |
|--------|-------------|
| `sicredi.com.br` | Sicredi |
## Group 7 — Banco do Nordeste
| Domain | Institution |
|--------|-------------|
| `nel.bnb.gov.br` | Banco do Nordeste do Brasil |
## Group 8 — Mercado Pago
| Domain | Institution |
|--------|-------------|
| `mercadopago.com.br` | Mercado Pago |
## Group 9 — Regional & Digital Banks
| Domain | Institution |
|--------|-------------|
| `original.com.br` | Banco Original |
| `banrisul.com.br` | Banrisul |
| `banhara.b.br` | Banhara |
| `bancoamazonia.com.br` | Banco da Amazônia |
| `daycoval.com.br` | Banco Daycoval |
| `mercantildobrasil.com.br` | Banco Mercantil do Brasil |
| `stone.com.br` | Stone Pagamentos |
| `bancopan.com.br` | Banco Pan |
| `unicred.com.br` | Unicred |
| `safra.com.br` | Banco Safra |
| `safraempresas.com.br` | Banco Safra — corporate |
| `ib.brde.com.br` | BRDE — development bank |
| `banese.com.br` | Banese |
| `bancobmg.com.br` | Banco BMG |
| `internetbanking.confesol.com.br` | Confesol — cooperative |
| `tribanco.com.br` | Tribanco |
| `credisisbank.com.br` | Credisis Bank |
| `credisan.com.br` | Credisan |
| `bancobs2.com.br` | Banco BS2 |
| `bancofibra.com.br` | Banco Fibra |
| `uniprimebr.com.br` | Uniprime Brasil |
| `uniprime.com.br` | Uniprime Central |
| `bancotopazio.com.br` | Banco Topázio |
| `btgmais.com` | BTG Pactual — digital |
| `citidirect.com` | Citi Direct (Citibank) |
| `banestes.b.br` | Banestes |
| `zeitbank.com.br` | Zeitbank |
| `sofisa.com.br` | Banco Sofisa |
| `sofisadireto.com.br` | Sofisa Direto — digital |
| `banestes.com.br` | Banestes — alternate |
| `wwws.uniprimedobrasil.com.br` | Uniprime do Brasil |
| `rendimento.com.br` | Banco Rendimento |
| `contaonline.viacredi.coop.br` | Viacredi — cooperative |
| `brbbanknet.brb.com.br` | BRB — Banco de Brasília |
| `artta.com.br` | Artta |
| `pagbank.com.br` | PagBank / PagSeguro |
## Group 10 — Sicoob System
| Domain | Institution |
|--------|-------------|
| `sicoobexecutivo.com.br` | Sicoob Executivo portal |
| `sicoobnet.com.br` | Sicoob Net banking |
| `sicoob.com.br` | Sicoob — main portal |
So this is just to give a heads-up for our Brazilian friends who are into crypto, you have been targeted again by this bad actors. You need to be very careful not to click on anything and verify that you are into a legitimate banking websites before downloading. Specially WhatsApp and Outlook.
And if you received emails from unknown source, then don't install or download it. You can read the details of this attacks below.
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojanhttps://gist.github.com/jiayuchann/e298effb68bd472c9e577a630d0ceb20
