Hunting REF3076: Technical Breakdown of TCLBANKER's WhatsApp/Outlook Vectors
Has anyone had a chance to analyze the latest Elastic Security Labs report on REF3076 (TCLBANKER)? It looks like a significant evolution of the old Maverick banking trojan, specifically introducing a worm component dubbed SORVEPOTEL.
What stands out to me is the propagation method. It's abusing legitimate applications like WhatsApp and Microsoft Outlook to spread, making network segmentation tricky. The target list is massive—59 different financial and crypto platforms.
For detection, I'm focusing on the worm behavior. Since it leverages Outlook for distribution, we should be monitoring for suspicious process trees involving Outlook spawning child processes that write to unusual directories.
Here's a KQL query I'm testing in Sentinel to catch this behavior:
DeviceProcessEvents
| where InitiatingProcessFileName == "OUTLOOK.EXE"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe")
| where ProcessCommandLine contains ".lnk" or ProcessCommandLine contains ".zip"
| project DeviceName, Timestamp, AccountName, ProcessCommandLine, FolderPath
On the endpoint side, the malware often establishes persistence via Registry Run keys. You can audit your fleet with this quick PowerShell snippet:
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\*", "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run\*" -ErrorAction SilentlyContinue |
Where-Object { $_.PSObject.Properties.Name -match "^[a-f0-9]{32}$" } |
Select-Object PSPath, PSParentPath, *
The Brazilian banking trojan families are notoriously resilient. How are you guys handling the social engineering vector given it spreads via WhatsApp? Are you blocking desktop messaging apps entirely, or relying on endpoint detection?
Great breakdown. We've blocked WhatsApp Desktop on all corporate endpoints since late 2025. The risk of worms like SORVEPOTEL using trusted contacts is too high. For Outlook, we implemented strict mail flow rules to strip executable archives. It's a bit heavy-handed, but given the payload targets 50+ banks, we can't afford a breach.
The PowerShell snippet is useful, but I'd add checking for scheduled tasks too. Brazilian trojans love creating hidden tasks. Here is a modified check for Task Scheduler:
Get-ScheduledTask | Where-Object {$_.State -eq 'Ready' -and $_.TaskName -notmatch 'Microsoft'} |
Get-ScheduledTaskInfo | Select-Object TaskName, TaskPath, LastRunTime, Author
Also, check for signed binaries with invalid certificates in the AppData folder.
From a pentest perspective, the worm module is clever. It injects into legitimate processes so AV might whitelist it if not configured correctly. User education is key here—training users not to click 'Update' links sent via WhatsApp, even from 'friends'. The trust factor is the biggest vulnerability here.
The user education point is valid, but automated detection is faster. Since SORVEPOTEL abuses Outlook to spread, monitoring for parent-child process anomalies is crucial. Specifically, outlook.exe spawning PowerShell or cmd is a huge red flag. If you're using Sentinel, this KQL query helps catch the initial execution vector:
DeviceProcessEvents
| where InitiatingProcessFileName =~ "OUTLOOK.EXE"
| where FileName in~ ("powershell.exe", "cmd.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
Building on Pete's point regarding parent-child anomalies, I've found success hunting for outlook.exe spawning powershell.exe or mshta.exe. That's a rare, almost malicious behavior in corporate environments.
Here is a quick KQL query for Sysmon or Defender Advanced Hunting:
DeviceProcessEvents
| where InitiatingProcessFileName == "OUTLOOK.EXE"
| where FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe")
| project Timestamp, DeviceName, FileName, CommandLine
Has anyone seen SORVEPOTET using persistence via Registry Run keys rather than scheduled tasks?
Excellent points on process anomalies. To add another layer of defense, hunting for the specific mutex and configuration strings used by the worm is effective. Since SORVEPOTEL injects into memory, a YARA rule scanning running process memory can catch it even if the file on disk is obfuscated.
yara rule REF3076_Worm_Indicators { strings: $m1 = "Global\TCL_WORM_MUTEX" nocase $s1 = "SORVEPOTEL" wide condition: 2 of them }
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access