"The observed infection chain bundles a malicious MSI installer inside a ZIP file. These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder."
"The malware leverages DLL side-loading against the application to launch a malicious DLL ("screen_retriever_plugin.dll"), which functions as a loader with a "comprehensive watchdog subsystem" that continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep detection."
"Specifically, the malicious DLL will only execute if it was loaded by either "logiaipromptbuilder.exe" (the Logitech program) or "tclloader.exe" (likely a reference to an executable used during testing). It also removes any usermode hooks placed by endpoint security software within "ntdll.dll" by replacing the library and disables Event Tracing for Windows (ETW) telemetry."
"What's more, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks, using them to"
TCLBANKER is a Brazilian banking trojan targeting 59 banking, fintech, and cryptocurrency platforms. Activity is tracked as REF3076 and the malware is assessed as a major update of Maverick, which spreads using a worm component via WhatsApp Web to victim contacts. The infection chain uses a ZIP containing a malicious MSI installer that abuses a signed Logitech program, Logi AI Prompt Builder. DLL side-loading launches a malicious screen_retriever_plugin.dll loader that includes a watchdog subsystem to evade analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus. Execution is restricted to specific parent processes, usermode hooks in ntdll.dll are removed, and ETW telemetry is disabled. The malware also generates fingerprints using anti-debugging and anti-virtualization checks, disk information, and language checks.
#brazilian-banking-trojan #anti-analysis-and-evasion #dll-side-loading #whatsapp-web-worm-propagation #etw-and-ntdll-tampering
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]