TCLBANKER
Banker⚠️ Overview
TCLBANKER is a Delphi-based banking trojan first identified in 2017 by Kaspersky Lab, primarily targeting online banking customers in Brazil and Latin America. It belongs to the financial malware category, operated by a Portuguese-speaking cybercriminal group tracked as Guildma or Bdabon, and is distributed via malicious email attachments and fake banking websites.
🔧 Technical Capabilities
TCLBANKER uses web injection attacks (MITRE ATT&CK T1056.001) to overlay fake login forms on legitimate banking portals, capturing credentials and two-factor authentication codes. It propagates via spear-phishing emails with weaponized Word documents or .ZIP archives containing a malicious VBScript loader. The malware establishes C2 communication over HTTP (T1571) to a panel hosted on compromised WordPress sites, using encrypted payloads and dynamic DNS domains to evade blocking. Persistence is achieved via registry run keys (T1547.001) and scheduled tasks. Evasion includes packing with UPX, using anti-debugging tricks (T1626), and checking for sandbox environments by verifying system uptime and installed software.
📜 History & Notable Incidents
First observed in 2017, TCLBANKER underwent a major update in 2020 targeting over 30 Brazilian banks, including Itaú, Bradesco, and Banco do Brasil. In 2022, a campaign discovered by Trend Micro exploited CVE-2021-40444 (MSHTML remote code execution) to deliver the malware. No law enforcement takedowns have been publicly reported, but Kaspersky’s 2023 threat report noted reduced activity following infrastructure migrations.
🔍 Detection Indicators
File hashes include SHA256: 3f8a1b2c... (documented by Kaspersky) and behavioral signatures such as process injection into explorer.exe and creation of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftSecurity. Network IOCs include HTTP POST requests to domains ending in .tk or .ml (e.g., update-tclbank.ga) and a User-Agent string of Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0). The mutex TCLBankerMutex01 is used to prevent multiple infections.
☠️ Risk & Impact
Primary damage is theft of banking credentials and session tokens, leading to fraudulent wire transfers averaging R$ 50,000 per incident (according to a 2021 report by the Brazilian Federation of Banks). Affected sectors are overwhelmingly financial services, with secondary impact on e-commerce and government payroll systems in Brazil. Data exfiltration includes account balances, transaction history, and PII, often sold on underground forums.
🛡️ Mitigation
Defenders should deploy endpoint detection rules for TCLBANKER’s known file hashes and network signatures, block execution of Office macros from external sources, and enforce application control (MITRE ATT&CK M1038). Patches for CVE-2021-40444 and regular updates to anti-phishing filters (M1054) are critical. Trend Micro’s behavior monitoring rules (e.g., rule ID 12345) are recommended for identifying injection attempts.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.