The Brazilian banking trojan TCLBanker is spreading by hijacking WhatsApp and Outlook accounts to deliver malicious software to unsuspecting users.
This development represents a significant escalation in delivery tactics. By leveraging the trust between established contacts, the malware bypasses traditional security warnings that often flag emails or messages from unknown senders.
According to security reports, the trojan distributes a malicious MSI installer disguised as a "Logitech AI Prompt Builder." Once a user installs the file, the malware gains a foothold on the system. From there, it hijacks the victim's messaging and email accounts to send the same malicious link to their contact lists, creating a self-spreading cycle of infection.
The primary objective of the attack is the theft of sensitive financial data. The malware specifically targets credentials and private information from users of 59 different banking, fintech, and cryptocurrency platforms [1].
Security researchers said the trojan originates from Brazil, though its ability to utilize global communication platforms like WhatsApp allows it to target users worldwide. The software is designed to monitor user activity and capture login details for the targeted financial services.
Experts said users should be wary of unexpected attachments or software installation prompts, even when they come from known contacts. The use of a reputable brand name like Logitech in the fake installer is a common social engineering tactic used to lower a victim's defenses.
“The trojan self-spreads by hijacking victims' WhatsApp and Outlook accounts.”
The evolution of TCLBanker highlights a shift toward 'trust-based' propagation. By automating the distribution process through a victim's own verified accounts, the attackers neutralize the effectiveness of basic 'stranger danger' security training. This increases the risk for both individual users and corporate networks that rely on the perceived authenticity of internal or known communications to filter threats.
