Security vendor Malwarebytes has uncovered a banking Trojan capable of bypassing traditional security by spoofing legitimate digital certificates.
The certificate used by the malware is usually legitimate but it's now being sent out by a fake-company set up to get hold of the certificates from Digicert.
The certificate allows the hacker to sneak a malicious PDF file infected with the Trojan past most computer security systems. Malwarebytes said that the malware had already targeted a slew of high-profile firms.
"The malware is a banking/password stealer using email to spread. It appears to be a PDF invoice with a valid certificate issued to a real Brazilian software company which was issued by SSL certificate authority DigiCert," senior security researcher at Malwarebytes Jerome Segura told V3.
Digital certificates are coded signatures used by companies to guarantee the authenticity of a file they are sending.
The attack bears striking similarities to the Flame and Stuxnet malwares. Flame broke new ground in 2012 being the first malware able to mimic a Microsoft update certificate.
"This Trojan is a new breed of intelligent malware, able to fool even the most acclaimed digital certificate authorities. Cyber criminals are finding new and more deceitful ways to disguise malware as trustful programmes in order to attack systems and take your personal identity," said Segura.
Malwarebytes warned that attacks similar to the recently unearthed banking Trojan will grow to be one of the most dangerous cyber threats facing businesses.
"This problem will continue to get worse as it's too easy for anybody who does a bit of research to either impersonate a company or set up a fake website as if it were a company and then buy a certificate," said Segura.
"Once a Trojan like this gets into a business network computer, it will steal business-sensitive data. Business' IT departments must ensure they keep up to date with the latest threats in order to make sure commercial information doesn't get into the wrong hands."
Malwarebytes' warning follows a similar statement from technology firm BAE Systems Detica, which claimed enterprises must adapt their cyber strategies to combat the evolving cyber threat facing them.
400 engineers have been working in secret on electric car project for the past two years, admits James Dyson
Russian Taiga smartphone promises snoop-proof communications - coming soon to employees of Russian state-owned firms
Eugene Kaspersky's ex outs smartphone that claims to prevent apps from spying on users
Deloitte accused of leaving its internal Active Directory server exposed to the internet with RDP open
Deloitte accused of lax systems administration and security practices over email hack
Lax systems administration practices blamed for exposing millions of sensitive client emails