{
	"id": "e9937988-5336-48d6-ade4-f56a6589f529",
	"created_at": "2026-04-06T00:21:58.195612Z",
	"updated_at": "2026-04-10T03:22:00.911599Z",
	"deleted_at": null,
	"sha1_hash": "cdd51947ab1c3b0dd4ef45db0820a90174f470bd",
	"title": "Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 232954,
	"plain_text": "Kronos Banking Trojan Used to Deliver New Point-of-Sale\r\nMalware | Proofpoint US\r\nBy November 15, 2016 Proofpoint Staff\r\nPublished: 2016-11-15 · Archived: 2026-04-05 14:45:55 UTC\r\nOverview\r\nBanking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex\r\ncampaigns of 2015 have given way to ransomware and other payloads. Most recently, we observed several\r\nrelatively large email campaigns distributing the Kronos banking Trojan. In these campaigns, though, Kronos\r\nacted as a loader with a new Point-of-Sale (POS) malware dubbed ScanPOS as the secondary payload.\r\nThese campaigns not only represent an uptick in our observed instances of Kronos banker but also a new\r\napplication of the malware that was first introduced in June 2014 and that we most recently described in relation\r\nto campaigns targeting Canada [1].\r\nEmail Campaigns\r\nOn November 10 and 14, Proofpoint observed several large email campaigns of tens of thousands of messages\r\neach, targeting a range of verticals including hospitality, higher education, financial Services, and healthcare. The\r\nrelative volumes by vertical are shown in Figure 1.\r\nFigure 1: Vertical targeting across several campaigns\r\nThese campaigns reached global audiences but primarily targeted the United Kingdom and North America.\r\nThe email messages contained a document attachment or a link such as\r\nhxxp://intranet.excelsharepoint[.]com/profile/Employee[.]php?id=[base64 encoded e-mail address]. This domain\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\r\nPage 1 of 8\n\nis under attacker control but pretends to be associated with Microsoft SharePoint. Clicking the link causes the\r\ntargeted user to download a malicious document (Fig. 2 and 3).\r\nFigure 2: E-mail containing malicious attachment only\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\r\nPage 2 of 8\n\nFigure 3: Email containing malicious attachment and link to malicious document\r\nThe documents we observed contained a macro which downloaded Kronos [2] from a URL such as\r\nhxxp://info.docs-sharepoint[.]com/officeup[.]exe . The Kronos payload had a command and control (C\u0026C) of\r\nhxxp://www.networkupdate[.]club/kbps/connect[.]php . The Kronos payloads received tasks to download at least\r\nthree different payloads from the following URLs:\r\nhxxp://networkupdate[.]online/kbps/upload/c1c06f7d[.]exe - Smoke Loader\r\nhxxp://networkupdate[.]online/kbps/upload/1f80ff71[.]exe - Smoke Loader\r\nhxxp://networkupdate[.]online/kbps/upload/a8b05325[.]exe - ScanPOS\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\r\nPage 3 of 8\n\nFigure 4: Malicious macro document with “Enable Content” lure\r\nBoth Smoke Loader [3] payloads were configured to use\r\nhxxp://webfeed.updatesnetwork[.]com/feedweb/feed[.]php as their C\u0026C. So far we have not observed any\r\nadditional payloads associated with these two Smoke Loader samples. However, as noted in the next section, we\r\nhave observed a ZeuS variant payload being downloaded by a different Smoke Loader sample using the same\r\nC\u0026C.\r\nThe third payload we observed is a new Point-of-Sale (POS) malware called ScanPOS that is capable of\r\nexfiltrating via HTTP (Fig. 5) credit card numbers that are discovered by searching in the memory of running\r\nprocesses. This new POS variant only has a single, hard-coded C\u0026C:\r\nhxxp://invoicesharepoint[.]com/gateway[.]php. As with several other domains described here, these pretend to be\r\nassociated with Microsoft SharePoint but are independent and under attacker control.\r\nExfiltrated data is base64 encoded and include:\r\nThe stolen track data\r\nThe process in which the data was found\r\nThe username\r\nPlease refer to the discovery article by our colleagues at Morphick for additional technical analysis on this new\r\nPOS variant [4].\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\r\nPage 4 of 8\n\nFigure 5: ScanPOS exfiltrating CC data over HTTP\r\nOther Activity\r\nIn a November 8 campaign that preceded this activity, we observed similar emails and URLs following the same\r\npattern as those used to deliver Kronos. However, in this campaign we observed links leading to RIG-v Exploit\r\nKit (EK), followed by a redirect to ZIP-compressed .pif Smoke Loader and ZeuS. The links followed a pattern\r\nthat was very similar to the more recent campaigns: hxxp://invoice.docs-sharepoint[.]com/profile/profile[.]php?\r\nid=[base64 e-mail address]. These links utilized an iframe to redirect potential victims to a RIG-v instance\r\nlocated at add.souloventure[.]org as well as to /download.php on the same server as the original link (Fig. 6).\r\nFigure 6: Iframe redirect to RIG-v and payload download\r\nUnfortunately, we did not observe any payloads delivered through this particular redirect chain. The\r\n/download.php returns an EmployeeID-47267.zip payload that we observed containing either a Smoke Loader\r\nvariant using hxxp://webfeed.updatesnetwork[.]com/feedweb/feed[.]php as its C\u0026C or a ZeuS variant using\r\nhxxps://feed.networksupdates[.]com/feed/webfeed[.]xml as its C\u0026C. In the instance where we observed Smoke\r\nLoader, Smoke Loader downloaded an identical (same hash) ZeuS variant.\r\nConclusion\r\nThe campaigns distributing ScanPOS are heavily targeted at the hospitality vertical in North America and the UK,\r\namong other countries that observe the Christmas and/or Thanksgiving holidays. With the holidays approaching\r\nand their associated heavy travel and shopping, organizations should be especially vigilant with respect to\r\npotential infection with POS malware, banking Trojans, and other malware that may be used to exploit seasonal\r\ntrends. We will continue to monitor Kronos campaigns, ScanPOS distribution, and other threats as they emerge.\r\nReferences\r\n1. https://www.proofpoint.com/us/threat-insight/post/banking-trojans-dridex-vawtrak-others-increase-focus-on-canada\r\n2. https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/\r\n3. https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/\r\n4. http://www.morphick.com/resources/lab-blog/scanpos-new-pos-malware-being-distributed-kronos\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\r\nPage 5 of 8\n\nIOC\r\nIOC\r\nType\r\nDescription\r\nhxxp://invoice.docs-sharepoint[.]com/profile/profile[.]php?id=[base64 e-mail\r\naddress]\r\nURL\r\nPhishing link on\r\nNov 8\r\nhxxp://invoice.docs-sharepoint[.]com/profile/download[.]php URL\r\nRedirect from\r\nphishing link on\r\nNov 8\r\n4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5 SHA256\r\nEmployeeID-47267.zip\r\ncontaining\r\nSmokeLoader\r\nfrom\r\n/download.php\r\non Nov 8\r\n90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0 SHA256\r\nSmokeLoader\r\nEmployeeID-47267.pif\r\n711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c SHA256\r\nEmployeeID-47267.zip\r\ncontaining ZeuS\r\nfrom\r\n/download.php\r\non Nov 8\r\n4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74 SHA256\r\nZeuS\r\nEmployeeID-47267.pif\r\nhxxps://feed.networksupdates[.]com/feed/webfeed.xml URL\r\nZeuS C\u0026C on\r\nNov 8\r\nadd.souloventure[.]org Domain\r\nRIG-v domain\r\non Nov 8\r\nhxxp://intranet.excelsharepoint[.]com/profile/Employee[.]php?id=[base64 e-mail address]\r\nURL\r\nPhishing link on\r\nNov 10\r\na78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156 SHA256 EmployeeID-847267.doc\r\ndownloaded\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\r\nPage 6 of 8\n\nIOC\r\nIOC\r\nType\r\nDescription\r\nfrom phishing\r\nlinks on Nov 10\r\nhxxp://info.docs-sharepoint[.]com/officeup[.]exe URL\r\nEmployeeID-847267.doc\r\ndownloading\r\npayload\r\n(Kronos) on\r\nNov 10\r\ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SHA256\r\nKronos on Nov\r\n10\r\nhxxp://www.networkupdate[.]club/kbps/connect[.]php URL\r\nKronos C\u0026C on\r\nNov 10\r\nhxxp://networkupdate[.]online/kbps/upload/c1c06f7d[.]exe URL\r\nPayload DL by\r\nKronos on Nov\r\n10\r\nhxxp://networkupdate[.]online/kbps/upload/1f80ff71[.]exe URL\r\nPayload DL by\r\nKronos on Nov\r\n10\r\nhxxp://networkupdate[.]online/kbps/upload/a8b05325[.]exe URL\r\nPayload DL by\r\nKronos on Nov\r\n10\r\nd0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984 SHA256\r\nc1c06f7d.exe -\r\nSmokeLoader\r\nd9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98 SHA256\r\n1f80ff71.exe -\r\nSmokeLoader\r\nhxxp://webfeed.updatesnetwork[.]com/feedweb/feed[.]php URL\r\nSmokeLoader\r\nC\u0026C\r\n093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e SHA256\r\na8b05325.exe -\r\nScanPOS\r\nhxxp://invoicesharepoint[.]com/gateway[.]php URL ScanPOS C\u0026C\r\nhxxp://intranet.excel-sharepoint[.]com/doc/employee[.]php?id=[base64 e-mail address]\r\nURL\r\nPhishing link on\r\nNov 14\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\r\nPage 7 of 8\n\nIOC\r\nIOC\r\nType\r\nDescription\r\nfd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462 SHA256\r\ndownloaded\r\nfrom phishing\r\nlinks on Nov 14\r\nhxxp://profile.excel-sharepoint[.]com/doc/office[.]exe URL\r\nEmployeeID-6283.doc\r\ndownloading\r\npayload\r\n(Kronos) on\r\nNov 14\r\n269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3 SHA256\r\nKronos on Nov\r\n14 (same C\u0026C\r\nas previous)\r\nET and ETPRO Suricata/Snort Coverage\r\n2018125          ET CURRENT_EVENTS SUSPICIOUS .PIF File Inside of Zip\r\n2020077          ET TROJAN Kronos Checkin M2\r\n2020080          ET TROJAN Kronos Checkin\r\n2022124          ET TROJAN Win32.Sharik Microsoft Connectivity Check\r\n2022550          ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016\r\n2023196          ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2\r\n2023401          ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)\r\n2816808          ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016\r\n2823254          ETPRO TROJAN ScanPOS Exfiltrating CC Data\r\n2823288          ETPRO TROJAN Zeus Variant CnC SSL Cert\r\nSource: https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware"
	],
	"report_names": [
		"kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434918,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cdd51947ab1c3b0dd4ef45db0820a90174f470bd.pdf",
		"text": "https://archive.orkl.eu/cdd51947ab1c3b0dd4ef45db0820a90174f470bd.txt",
		"img": "https://archive.orkl.eu/cdd51947ab1c3b0dd4ef45db0820a90174f470bd.jpg"
	}
}