THREAT OPS › Threat News › TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
<p>Elastic Security Labs identified a new Brazilian banking trojan that we are tracking as TCLBANKER, a malware family we assess is a major update of the <a href="https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/">MAVERICK</a>/<a href="https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html">SORVEPOTEL</a> family. The campaign, track
Attributed threat actors
- Earth LuscaG1006
- BRONZE BUTLERG0060
MITRE ATT&CK techniques
- Scheduled TaskT1053.005
- Screen CaptureT1113
- ServerlessT1583.007
- Embedded PayloadsT1027.009
- JavaScriptT1059.007
- Email CollectionT1114
- Local Email CollectionT1114.001
- System ChecksT1497.001
- Spearphishing AttachmentT1566.001
- Clipboard DataT1115
- System Information DiscoveryT1082
- Application Layer ProtocolT1071
- Scheduled Task/JobT1053
- Native APIT1106
- Deobfuscate/Decode Files or InformationT1140
- Social EngineeringT1684
- Process InjectionT1055
- System Binary Proxy ExecutionT1218
- Application Window DiscoveryT1010
- Email AccountT1087.003
- Browser Session HijackingT1185
- Web Portal CaptureT1056.003
- Email AddressesT1589.002
- Command and Scripting InterpreterT1059
- Virtualization/Sandbox EvasionT1497
- Web ServiceT1102
- Spearphishing AttachmentT1598.002
- Process DiscoveryT1057
- PowerShellT1059.001
- PhishingT1566
- Hijack Execution FlowT1574
- Obfuscated Files or InformationT1027
- Input CaptureT1056
- CredentialsT1589.001
- System Language DiscoveryT1614.001
- System Location DiscoveryT1614
- Windows Command ShellT1059.003
- Installer PackagesT1546.016
- ServerlessT1584.007
- Web ProtocolsT1071.001
- Debugger EvasionT1622
- Ingress Tool TransferT1105
- CompressionT1027.015
- System Shutdown/RebootT1529
- ServerlessAML.T0008.004
- Command and Scripting InterpreterAML.T0050
- Process DiscoveryAML.T0089
- Virtualization/Sandbox EvasionAML.T0097
Indicators of compromise
- 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626sha256
- 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059sha256
- 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40sha256
- 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394sha256
- 91fafaa1240676afe5c55d931261e3798797c408sha1
- e298effb68bd472c9e577a630d0ceb20md5
- https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.htmlurl
- https://www.logitech.com/en-us/software/logi-ai-prompt-builderurl
- https://flutter.dev/url
- https://web-assets.esetstatic.com/wls/2020/09/ESET_LATAM_financial_cybercrime.pdfurl
- https://campanha1-api.ef971a42.workers.dev/api/installsurl
- https://stackoverflow.com/questions/5317642/retrieve-current-url-from-c-sharp-windows-forms-application/5318791#5318791url
- https://campanha1-api.ef971a42.workers.dev/api/campaignurl
- https://arquivos-omie.comurl
- https://documents.ef971a42.workers.dev/fileurl
- https://arquivos-omie.com"url
- https://developer.mozilla.org/en-US/docs/Web/API/File/Fileurl
- https://www.trendmicro.com/en_gb/research/25/j/self-propagating-malware-spreads-via-whatsapp.htmlurl
- 191.96.224.96ipv4
- mxtestacionamentos.comdomain
- web.whatsapp.comdomain
- documentos-online.comdomain
- afonsoferragista.comdomain
- doccompartilhe.comdomain
- recebamais.comdomain
- saogeraldoshiping.comdomain