TCLBanker Trojan Analysis: Detecting Fake Logitech AI Installer & WhatsApp Worm

Introduction

A sophisticated banking trojan named TCLBanker has been identified in the wild, employing a supply-chain style attack vector by masquerading as legitimate software. The threat actors have weaponized a trojanized MSI installer for the "Logitech AI Prompt Builder" to deliver the payload. Once executed, the malware aggressively targets 59 distinct banking, fintech, and cryptocurrency platforms.

What sets this campaign apart is its worm-like capability: TCLBanker leverages installed instances of WhatsApp and Microsoft Outlook to propagate itself to the victim's contacts, exponentially increasing its infection radius. For defenders, this represents a critical risk as it blends social engineering (fake software) with automated self-spreading mechanisms, bypassing traditional perimeter defenses.

Technical Analysis

Affected Products and Platforms

Malware Name: TCLBanker
Lure/Vector: Trojanned MSI installer named Logitech AI Prompt Builder.msi (or similar variations).
Propagation Mechanisms: WhatsApp Desktop, Microsoft Outlook.
Target Sector: 59 specific Banking, Fintech, and Cryptocurrency platforms.

Attack Chain and Exploitation Status

Initial Access: Victims are socially engineered into downloading and executing the malicious MSI installer, often distributed via phishing campaigns or malicious file-sharing sites.
Execution: The MSI package installs the trojan. Instead of the legitimate Logitech tool, the malware drops a payload (often a DLL or executable) that establishes persistence.
Payload Activation: TCLBanker injects itself into running processes or launches a standalone process to hook into browser traffic (web injection) to capture credentials and 2FA tokens from the targeted financial sites.
Self-Propagation (Worm Behavior): The malware scans for and interacts with WhatsApp.exe and Outlook.exe. It utilizes the API or GUI automation of these applications to send the malicious MSI installer to the victim's contact list, appearing to come from a trusted source.

Exploitation Status

Status: Confirmed Active Exploitation (In-the-wild).
Threat Level: High. The combination of credential theft and automated propagation allows for rapid lateral movement within a social graph rather than a network.

Detection & Response

The following detection rules focus on the specific entry vector (the fake installer) and the suspicious behavior of installers spawning command shells, which is atypical for a legitimate MSI. We also target the propagation attempt by looking for interactions between installers and messaging clients.

SIGMA Rules

YAML

---
title: Suspicious Execution of Logitech AI Prompt Builder Installer
id: 8a4f2c1d-9e3a-4b7c-8f1d-2a3b4c5d6e7f
status: experimental
description: Detects the execution of the trojanized Logitech AI Prompt Builder MSI installer associated with the TCLBanker campaign.
references:
  - https://www.bleepingcomputer.com/news/security/new-tclbanker-malware-self-spreads-over-whatsapp-and-outlook/
author: Security Arsenal
date: 2025/03/14
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\msiexec.exe'
    CommandLine|contains: 'Logitech AI Prompt Builder'
  condition: selection
falsepositives:
  - Legitimate installation of Logitech AI Prompt Builder (verify source)
level: high
---
title: MSI Installer Spawning Command Shell
id: 9b5g3d2e-0f4b-5c8d-9e2f-3b4c5d6e7f8a
status: experimental
description: Detects suspicious behavior where an MSI installer (msiexec) spawns a command prompt or PowerShell, often indicative of malicious scripts in custom actions.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/03/14
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  parent:
    Image|endswith: '\msiexec.exe'
  child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: parent and child
falsepositives:
  - Legitimate software installers using custom actions (rare for standard utilities)
level: medium
---
title: Suspicious Installer Accessing WhatsApp or Outlook
id: 1c6h4i3j-1g5h-6j9k-0g3h-4c5d6e7f8a9b
status: experimental
description: Detects potential worm behavior where an installer process attempts to access WhatsApp or Outlook executables or directories.
references:
  - https://www.bleepingcomputer.com/news/security/new-tclbanker-malware-self-spreads-over-whatsapp-and-outlook/
author: Security Arsenal
date: 2025/03/14
tags:
  - attack.lateral_movement
  - attack.t1566.002
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|endswith:
      - '\msiexec.exe'
      - '\msiinst.exe'
    TargetFilename|contains:
      - '\WhatsApp\'
      - '\Office\'
      - '\Outlook.exe'
      - '\WhatsApp.exe'
  condition: selection
falsepositives:
  - Legitimate installers integrating with office plugins (rare)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for execution of the fake Logitech AI installer
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "msiexec.exe"
| where ProcessCommandLine has "Logitech AI Prompt Builder"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend AlertDetail = "Execution of suspicious Logitech AI installer detected"

// Hunt for MSI installers spawning shells (T1059)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "msiexec.exe"
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine
| extend AlertDetail = "MSI installer spawned a shell process"

Velociraptor VQL

VQL — Velociraptor

-- Hunt for the presence of the trojanized Logitech AI Prompt Builder installer
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="C:/Users/*/Downloads/*Logitech*AI*.msi")

-- Hunt for MSI processes spawning suspicious children
SELECT Parent.Name AS ParentName, Child.Name AS ChildName, Child.CommandLine, Child.Pid
FROM pslist()
LEFT JOIN pslist() AS Child ON Child.Ppid = Parent.Pid
WHERE Parent.Name =~ "msiexec.exe"
  AND Child.Name IN ("cmd.exe", "powershell.exe", "pwsh.exe")

Remediation Script (PowerShell)

PowerShell

<#
.SYNOPSIS
    Remediation script for TCLBanker trojan artifacts.
.DESCRIPTION
    Searches for and removes the trojanized Logitech AI Prompt Builder MSI 
    and kills any suspicious processes spawned by MSI installers.
#>

Write-Host "[*] Starting TCLBanker Remediation Script..." -ForegroundColor Cyan

# 1. Remove the malicious MSI installer from common download locations
$paths = @("$env:USERPROFILE\Downloads", "$env:PUBLIC\Downloads")
$maliciousFiles = Get-ChildItem -Path $paths -Filter "*Logitech*AI*.msi" -ErrorAction SilentlyContinue

if ($maliciousFiles) {
    foreach ($file in $maliciousFiles) {
        Write-Host "[!] Found suspicious file: $($file.FullName)" -ForegroundColor Yellow
        Remove-Item -Path $file.FullName -Force
        Write-Host "[+] Removed: $($file.FullName)" -ForegroundColor Green
    }
} else {
    Write-Host "[*] No suspicious MSI files found in standard download paths." -ForegroundColor Gray
}

# 2. Check for persistence (Example: Run Keys - adjust based on specific IOC analysis)
# Note: Specific persistence mechanisms for TCLBanker may vary; this is a precautionary check.
$runKeys = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)

Write-Host "[*] Checking registry for suspicious persistence..." -ForegroundColor Cyan
foreach ($key in $runKeys) {
    if (Test-Path $key) {
        Get-Item -Path $key | ForEach-Object {
            $_.GetValueNames() | ForEach-Object {
                $value = $_.GetValue($_)
                if ($value -match "Logitech" -and $value -match ".exe") {
                    Write-Host "[!] Suspicious Run Key found: $key\$_ : $value" -ForegroundColor Yellow
                    # Remove-ItemProperty -Path $key -Name $_ -Force # Uncomment to execute removal
                }
            }
        }
    }
}

Write-Host "[*] Remediation complete. Please run a full AV scan." -ForegroundColor Cyan

Remediation

Identify and Isolate Infected Hosts: Use the detection queries above to identify machines that have executed the fake Logitech AI Prompt Builder.msi or exhibited MSI-to-Shell spawning behavior.
Remove Malicious Artifacts:
- Delete the trojanized MSI installer from user download folders and temporary directories.
- terminate malicious processes. The process name may vary, but often impersonates legitimate system tools.
User Education and Communication:
- Immediately notify users of the campaign. Explicitly warn them not to install "Logitech AI Prompt Builder" unless sourced directly from the official Logitech website (and verify if this specific tool is actually offered by Logitech currently, as many lures use non-existent product names).
- Warn users to be suspicious of unexpected files sent via WhatsApp or Outlook, even from known contacts.
Application Whitelisting:
- Implement strict AppLocker or WDAC policies to prevent the execution of unsigned MSIs or MSIs originating from the Internet/Downloads zone.
- Block msiexec.exe from spawning cmd.exe or powershell.exe unless explicitly required by trusted installers.
Vendor Advisory:
- Monitor official Logitech channels for any statements regarding this campaign. Currently, this is a case of identity theft (brand impersonation) rather than a compromise of Logitech's infrastructure.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub