{
	"id": "35fa375a-4460-44c8-b9f6-6c2ce0356547",
	"created_at": "2026-04-06T00:17:49.537174Z",
	"updated_at": "2026-04-10T13:12:50.884701Z",
	"deleted_at": null,
	"sha1_hash": "53c1189b72e92e98b72d972ec7021aada587760b",
	"title": "ScanPOS, new POS malware being distributed by Kronos",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 312012,
	"plain_text": "ScanPOS, new POS malware being distributed by Kronos\r\nPublished: 2016-11-15 · Archived: 2026-04-05 14:53:25 UTC\r\nSummary:\r\nJust in time for the holidays, a brand new Point Of Sale (POS) malware family has been discovered.\r\nBooz Allen responded to a Kronos phishing campaign that involved a document with a malicious macro that\r\ndownloaded the Kronos banking malware. When running, the Kronos payload will download several other pieces\r\nof malware, but the one that caught our eye is a new credit card dumper with very low detection. Booz Allen is\r\ntracking this malware under the name ScanPOS due to the build string present in the malware.\r\nC:\\Users\\example\\documents\\visual studio 2010\\Projects\\scan3\\Release\\scan3.pdb\r\nAt the time of this writing, ScanPOS only scored 1/55 on Virustotal:\r\nScanPOS, while not extraordinarily impressive or unique, is a new family. It performs the same basic tasks that all\r\nother POS malware performs, yet sneaks by almost every developed detection technique. ScanPOS does little in\r\nterms of evading detection, which can help it blend in a production environment. When code is heavily packed, it\r\nwill often get picked up by generic heuristics.\r\nPhish\r\nThe Kronos phish that was delivering the malware was a very basic email with the following body:\r\nAn Employee has just been terminated.\r\nName: Tanner Williamson\r\nEmployee profile: EmployeeID-6283.doc\r\nEmplid: 2965385\r\nRcd#: 0\r\nTermination Date: 11/17/2016\r\nRelevant headers are below:\r\nhttps://securitykitten.github.io/2016/11/15/scanpos.html\r\nPage 1 of 7\n\nTIME-STAMP: \"16-11-14_13.44.23\"\r\nCONTENT-DISPOSITION: \"attachment; filename='EmployeeID-6283.doc'\"\r\nX-VIRUS-SCANNED: \"Debian amavisd-new at hosting5.skyinet.pl\"\r\nSubject : An Employee has just been terminated.\r\nFrom: HR \u003cjohns.brueggemann@banctec.com\u003e\r\nMail-From: web1@hosting5.skyinet.pl\r\n1st rec: hosting23.skyinet.pl\r\n2nd rec:hosting23.skyinet.pl\r\nWhen enabling the macro on EmployeID-6283.doc, the macro will download\r\nprofile.excel-sharepoint[.]com/doc/office.exe\r\n(Kronos Payload) and execute it. Kronos will then download and execute ScanPOS from\r\nhttp://networkupdate[.]online/kbps/upload/a8b05325.exe\r\nCredit Card Dumping\r\nOn execution, the malware will grab information about the current process and get the user (calling\r\nGetUserNameA). Privileges are checked to ensure that the malware has the ability to peek into other processes’\r\nmemory space by checking for SeDebugPrivilege (see below).\r\nThe malware will then enter an infinite loop, padded with sleeps, to dump process memory on the box to search\r\nfor credit card track data. During this loop, the malware iterates processes using Process32FirstW/Process32Next\r\nfrom a process list obtained via CreateToolhelp32Snapshot.\r\nhttps://securitykitten.github.io/2016/11/15/scanpos.html\r\nPage 2 of 7\n\nThe iterator obtains a handle to the process by using OpenProcess, which is then checked against a basic whitelist,\r\nto avoid unnecessary system processes:\r\nIf the name of the process passes a check against the whitelist, the malware will continue to get process memory\r\ninformation by calling VirtualQueryEx and then eventually fall to ReadProcessMemory.\r\nhttps://securitykitten.github.io/2016/11/15/scanpos.html\r\nPage 3 of 7\n\nOnce process memory is obtained, the scanning for credit card track data can begin. The main logic behind this is\r\nin function 0x4026C0.\r\nThe logic starts with basic sentinel checks and a starting number of 3,4,5 or 6.\r\nhttps://securitykitten.github.io/2016/11/15/scanpos.html\r\nPage 4 of 7\n\nThe malware will use a custom search routine (rather than regex) to find potential numbers.\r\nAfter the malware does several checks for credit card information, it will pass the potential candidate to Luhn’s\r\nalgorithm for basic validation.\r\nhttps://securitykitten.github.io/2016/11/15/scanpos.html\r\nPage 5 of 7\n\nWhen it finds a potential candidate that passes Luhn’s, it will continue searching for numbers (anything between 0\r\nand 9) until it hits a “?” marking the end of the track data.\r\nNetwork Connectivity\r\nOnce the potential card numbers are found, the information is sent via HTTP POST to invoicesharepoint[.]com.\r\nConclusion\r\nScanPOS is being distributed through an active campaign. With only 1 anti-virus engine flagging this executable\r\nas malicious, this family helps show the constant pressure that AV vendors face while trying to stay ahead of the\r\ncurve. Being distributed in a macro is a simple technique that has been covered in detail in many different blog\r\nposts and may have helped this family hide a little bit in the noise.\r\nhttps://securitykitten.github.io/2016/11/15/scanpos.html\r\nPage 6 of 7\n\nIndicators of Compromise\r\nIndicator Type Notes\r\ninvoicesharepoint.com Domain ScanPOS C2 \u0026 data dump (46.45.171.174)\r\n/gateway.php URI ScanPOS C2 POST uri\r\nnetworkupdate.online Domain\r\nOffice.exe (Kronos) Downloads additional EXE\r\n(46.45.171.174)\r\nwww.networkupdate.club Domain Office.exe (Kronos) C2 (46.45.171.174 )\r\nprofile.excel-sharepoint.com Domain Dropper DL site from phish (211.110.17.192)\r\n939fcb17ebb3aa7dd57d62d36b442778 MD5 Phish doc: EmployeeID-6283.doc\r\n11180b265b010fbfa05c08681261ac57 MD5 Office.exe (Kronos)\r\n6fcc13563aad936c7d0f3165351cb453 MD5 POS malware: (Kronos DL) a8b05325.exe\r\n73871970ccf1b551a29f255605d05f61 MD5 (Kronos DL) 1f80ff71.exe\r\nf99d1571ce9be023cc897522f82ec6cc MD5 (Kronos DL) c1c06f7d.exe\r\n/kbps/connect.php URI Kronos C2 traffic\r\n/kbps/connect.php?a=1 URI Kronos C2 traffic\r\n/kbps/upload/c1c06f7d.exe URI Kronos Trj DL [a-z0-9],{8}.exe\r\njohns.brueggemann@banctec.com email From address\r\nweb1@hosting5.skyinet.pl email Mail-From address\r\nftp.itmy520.com Domain Found in 73871970ccf1b551a29f255605d05f61\r\nSource: https://securitykitten.github.io/2016/11/15/scanpos.html\r\nhttps://securitykitten.github.io/2016/11/15/scanpos.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securitykitten.github.io/2016/11/15/scanpos.html"
	],
	"report_names": [
		"scanpos.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434669,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53c1189b72e92e98b72d972ec7021aada587760b.pdf",
		"text": "https://archive.orkl.eu/53c1189b72e92e98b72d972ec7021aada587760b.txt",
		"img": "https://archive.orkl.eu/53c1189b72e92e98b72d972ec7021aada587760b.jpg"
	}
}