A more flexible development approach is allowing malware developers to offer criminals customised attack packages.
Researchers with security firm Trusteer said that over the last several months, malware writers have begun to adopt an 'a la carte' pricing system in which custom features and behaviours can be bundled into malware attacks.
According to researchers, the pricing options can add or remove hundreds of dollars to the cost of a piece of malware and can allow criminals to create specialised payloads which are highly focused and targeted in nature.
"Criminals are no longer bound by rigid malware configurations designed to conduct specific exploits at specific institutions," Trusteer researchers wrote.
"Criminals can now specify the precise exploit and target institution that they believe will maximise their ability to successfully commit fraud."
According to the researchers, malware writers are offering specialised versions of common infections such as Zeus which harvest user account data. When purchasing the infection, customers are able to request special features such as the ability to harvest one-use passwords to scan for account balance data.
The result, say researchers, is a new class or customised and more affordable malware infections on the market and in the wild.
"This latest development in 'webinject' marketing illustrates how the underground marketplace is following traditional software industry pricing schemes by offering a la carte and complete “suite” pricing options," the researchers said.
"Unfortunately, buying high quality 'webinjects' is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud."
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance