Back to Intelligence

TCLBANKER & SORVEPOTEL Worm: Detection and Hardening for Brazilian Banking Trojan REF3076

SA
Security Arsenal Team
May 9, 2026
6 min read

Security teams must immediately raise defenses against REF3076 (TCLBANKER), a sophisticated evolution of the Maverick banking trojan family recently documented by Elastic Security Labs. This threat is not merely an incremental update; it represents a significant operational shift due to the integration of SORVEPOTEL, a potent worming mechanism.

TCLBANKER specifically targets 59 distinct banking, fintech, and cryptocurrency platforms, predominantly affecting Brazilian financial institutions and their customers. The inclusion of a self-propagating worm capable of traversing WhatsApp and Outlook clients transforms this from a standard phishing-based trojan into an automated lateral movement threat within corporate environments. Defenders must assume that initial infections will attempt to propagate to internal contact lists, making rapid containment critical.

Technical Analysis

Threat Overview: TCLBANKER is a modular banking trojan designed to harvest credentials and intercept 2FA codes from targeted financial applications. It acts as a major successor to the Maverick malware family, inheriting its core overlay attack capabilities while adding sophisticated propagation logic.

Propagation Mechanism (SORVEPOTEL): The critical differentiator for this campaign is the SORVEPOTEL worm. Unlike traditional banking trojans that rely solely on spear-phishing, TCLBANKER leverages SORVEPOTEL to spread through installed communication software:

  1. WhatsApp: The worm manipulates the desktop client to send malicious messages to the victim's contacts. This bypasses traditional email gateway defenses, as the traffic originates from a trusted, authenticated user session.
  2. Outlook: Similar propagation logic is applied to Microsoft Outlook, allowing the malware to harvest contact lists and distribute itself via email without generating suspicious external login alerts.

Affected Platforms:

  • OS: Windows (implied by Outlook/WhatsApp Desktop targets and malware lineage).
  • Targeted Apps: 59 specific banking, crypto, and fintech applications.

Attack Chain:

  1. Initial Access: Malicious link or attachment delivered via WhatsApp or Outlook (often from a compromised contact).
  2. Execution: User interaction executes the TCLBANKER payload.
  3. Worm Activation: SORVEPOTEL enumerates messaging client databases to propagate further.
  4. Payload Execution: Overlay attacks are launched on specific banking apps to capture credentials as the user types them.

Exploitation Status: Active exploitation has been confirmed in the wild by Elastic Security Labs. There is no CVE for this malware; it is a crimeware solution abusing legitimate application functionality.

Detection & Response

Sigma Rules

The following Sigma rules target the anomalous process behavior associated with data exfiltration from messaging clients and the abuse of Outlook for script execution.

YAML
---
title: Potential Access to WhatsApp Database by Non-WhatsApp Process
id: 89a3c21e-5f4b-4c2a-9b1d-7d8e9f0a1b2c
status: experimental
description: Detects processes accessing the WhatsApp message database (msgstore.db), a common behavior for info-stealers and worms like SORVEPOTEL harvesting contacts.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains: '\\WhatsApp\\msgstore.db'
  filter:
    Image|contains: '\\WhatsApp.exe'
condition: selection and not filter
falsepositives:
  - Backup software accessing WhatsApp files
level: high
---
title: Outlook Spawning PowerShell or CMD
id: 12b4c56d-78e9-4f3a-8b2c-1d3e4f5a6b7c
status: experimental
description: Detects Microsoft Outlook spawning child processes like PowerShell or CMD. This is often used to execute macros or malicious links in banking trojan campaigns.
references:
  - https://attack.mitre.org/techniques/T1566/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\\OUTLOOK.EXE'
  selection_child:
    Image|endswith:
      - '\\powershell.exe'
      - '\\cmd.exe'
      - '\\wscript.exe'
condition: selection_parent and selection_child
falsepositives:
  - Legitimate administrative automation scripts triggered from Outlook
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for suspicious child processes spawned by communication applications (WhatsApp/Outlook), indicative of worm activity or payload execution.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ (\"WhatsApp.exe\", \"OUTLOOK.EXE\")
| where FileName !in~ (\" WerFault.exe\", \"RuntimeBroker.exe\", \"dllhost.exe\", \"sihost.exe\")
| where ActionType != \"FileIgnored\"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, FolderPath, ProcessCommandLine, SHA256
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for the presence of TCLBANKER components by checking for unsigned executables in the WhatsApp application directory or common persistence locations associated with the Maverick family lineage.

VQL — Velociraptor
-- Hunt for suspicious executables in WhatsApp directories or AppData
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs=\"C:/Users/*/AppData/Local/WhatsApp/**/*.exe\")
WHERE NOT Name =~ \"WhatsApp.exe\"
   AND NOT Name =~ \"WhatsAppUpdater.exe\"
   AND NOT Signed

UNION ALL

SELECT FullPath, Size, Mtime
FROM glob(globs=\"C:/Users/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/*.lnk\")
WHERE Mtime > now() - 7d

Remediation Script (PowerShell)

This script assists in the identification of potential persistence mechanisms often used by banking trojans (Run keys and Scheduled Tasks) located in user directories.

PowerShell
# Investigation Script for Banking Trojan Persistence
# Requires Admin Privileges

Write-Host \"[+] Checking Registry Run Keys for suspicious paths...\" -ForegroundColor Cyan

$PathsToCheck = @(
    \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",
    \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\",
    \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",
    \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"
)

foreach ($Path in $PathsToCheck) {
    if (Test-Path $Path) {
        Get-Item $Path | ForEach-Object {
            $_.Property | ForEach-Object {
                $Value = (Get-ItemProperty -Path \"$Path\\" -Name $_).$_
                if ($Value -match \"AppData\" -and $Value -match \"\.exe\") {
                    Write-Host \"Suspicious Persistence Found:\" -ForegroundColor Yellow
                    Write-Host \"Key: $Path\\$_\" -ForegroundColor Yellow
                    Write-Host \"Value: $Value\" -ForegroundColor Yellow
                }
            }
        }
    }
}

Write-Host \"[+] Checking for unsigned binaries in User Startup...\" -ForegroundColor Cyan

$StartupPath = \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"
if (Test-Path $StartupPath) {
    Get-ChildItem -Path $StartupPath -Filter *.lnk | ForEach-Object {
        $sh = New-Object -ComObject WScript.Shell
        $target = $sh.CreateShortcut($_.FullName).TargetPath
        if ($target -and (Test-Path $target)) {
            $sig = Get-AuthenticodeSignature $target
            if ($sig.Status -ne \"Valid\") {
                Write-Host \"Unsigned shortcut found: $($_.Name) pointing to $target\" -ForegroundColor Red
            }
        }
    }
}

Remediation

  1. Isolate and Reimage: Due to the worming capabilities of SORVEPOTEL and the deep integration with user profiles, infected endpoints should be isolated from the network immediately. The recommended remediation is a complete wipe and reimage of the OS to ensure all worm components are removed.

  2. Block Execution from User Directories: Implement Application Whitelisting (AppLocker or WDAC) policies to prevent the execution of executables from %AppData%, %LocalAppData%, and %Temp%. This is the single most effective control against banking trojans that rely on user-space persistence.

  3. Application Hardening:

    • WhatsApp: Restrict the usage of WhatsApp Desktop to specific personnel groups if not business-critical. Ensure macro and link-clicking protections are enabled.
    • Outlook: Enforce strict marking of external emails. Disable macro execution for users who do not require it for daily tasks.

  4. Network Segmentation: Ensure user workstations do not have unrestricted access to critical financial servers. Banking trojans often attempt lateral movement; network segmentation impedes this.

  5. User Education: Brief users on the specific nature of this threat: receiving suspicious files or links from known contacts via WhatsApp or Outlook. Advise verification through a secondary channel (e.g., a phone call) if a financial link is received unexpectedly.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemtclbankerref3076banking-trojan

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action