Users of online and mobile banking have been warned about a newly discovered form of 'polymorphic' malware that can evade detection in 50 out of the 66 anti-virus security products it was tested with.
Researchers at security company Bromium discovered a technique being used by hackers that they describe as ‘polymorphic', attacking both primary and secondary executables.
Dubbed Emotet, the banking Trojan is capable of evading capture and appearing in phishing emails in inboxes, even with a virus scanning facility activated.
Matt Rowen, a software engineer at Bromium, suggests that this indicates that hackers are getting more creative - and devious.
"Historically, malware writers simply change the packaging or wrapper when they distribute malware.
"For instance, it might be a PDF or Word document, but the dropped malicious file inside could be weeks old and, as such, known to AV. Now we see the secondary executable is changing as well, so the malware is not recognized by AV.
"Worryingly, this shows that malware writers are really improving the standard of their engineering - that spells trouble for AV vendors, who will be forced into a whack-a-mole situation they can never win."
Fraser Kyne, chief technology officer for Bromium EMEA, warns that having perfected this technique, the hackers could inspire copycats, which could, in turn, lead to implementations in other places, such as ransomware and cryptolockers.
Kyne argues that virtualisation is the best form of defence because it stops nasties getting through to the host machine. However, the people most likely to fall for a phishing email are the least likely to be running a VM instance (or to even know what one is).
The company examined the Trojan in detail earlier this month.
"Malware authors are rapidly rewrapping their packed executables and the documents used to distribute them," the company wrote in a blog posting.
It continued: "Based on feedback and further monitoring, we investigated the polymorphic dropped executables in more detail. The results are quite interesting; the samples don't just feature trivial changes or the addition of random data.
"Rather, the sample appears like completely different software in many aspects. This allows the samples to avoid signature-based anti-virus as well as package detection and static analysis.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software