Skip to main content

OSINT - Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware

Low
Published: Tue Nov 15 2016 (11/15/2016, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: tlp
Product: white

Description

OSINT - Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware

AI-Powered Analysis

AILast updated: 07/01/2025, 13:55:05 UTC

Technical Analysis

The Kronos banking Trojan is a well-known piece of malware primarily designed to steal banking credentials by intercepting user input and network traffic related to online banking sessions. This particular threat intelligence report highlights that the Kronos Trojan has been repurposed or used as a delivery mechanism for new Point-of-Sale (POS) malware. POS malware typically targets retail and hospitality environments to capture payment card data directly from the memory of POS terminals during transaction processing. The combination of Kronos as a delivery vector and new POS malware payloads indicates a shift or expansion in the threat actor's tactics to broaden their data theft capabilities beyond banking credentials to include payment card data. Although the report dates back to 2016 and is marked with low severity, the technical details suggest a multi-stage attack where Kronos compromises a system and subsequently installs POS malware to harvest sensitive financial data. The lack of affected versions or patch information implies this is a malware campaign rather than a software vulnerability. No known exploits in the wild are reported, but the threat remains relevant due to the persistent use of banking Trojans and POS malware in cybercrime. The technical complexity involves initial infection by Kronos, which then downloads and executes the POS malware payload, potentially evading detection by blending banking credential theft with payment card data theft.

Potential Impact

For European organizations, especially those in retail, hospitality, and financial sectors, this threat poses significant risks. Compromise by Kronos followed by POS malware installation can lead to large-scale theft of payment card data, resulting in financial losses, regulatory penalties under GDPR for data breaches, and reputational damage. Financial institutions may also face increased fraud attempts due to stolen banking credentials. The multi-stage nature of the attack complicates detection and response efforts. Organizations with POS systems that are not adequately segmented or monitored are particularly vulnerable. Additionally, the theft of payment card data can lead to downstream fraud affecting European consumers and businesses. The low severity rating in the original report may underestimate the potential impact if the malware campaign is successful, as POS malware infections have historically led to major breaches in Europe.

Mitigation Recommendations

European organizations should implement network segmentation to isolate POS systems from general corporate networks, reducing the risk of lateral movement by malware like Kronos. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying multi-stage malware behavior, including unusual process spawning and network communications indicative of banking Trojans and POS malware. Regularly update and patch all systems, including POS terminals and endpoint devices, even though no specific patch exists for this malware, to reduce the attack surface. Employ strict access controls and multi-factor authentication for systems handling financial transactions. Monitor network traffic for anomalies such as unexpected data exfiltration or connections to known malicious command and control servers associated with Kronos. Conduct regular security awareness training to reduce the risk of initial infection vectors such as phishing. Finally, implement robust logging and incident response plans to quickly detect and contain infections.

Need more detailed analysis?Get Pro

Technical Details

Uuid
5b58330e-b924-4828-b3a5-4986950d210f
Original Timestamp
1748941278

Indicators of Compromise

Link

ValueDescriptionCopy
linkhttps://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware
linkhttps://www.virustotal.com/file/d0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984/analysis/1532343224/
linkhttps://www.virustotal.com/file/d9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98/analysis/1532343304/
linkhttps://www.virustotal.com/file/4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74/analysis/1506533743/
linkhttps://www.virustotal.com/file/4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5/analysis/1479409553/
linkhttps://www.virustotal.com/file/fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462/analysis/1500412803/
linkhttps://www.virustotal.com/file/269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3/analysis/1489573838/
linkhttps://www.virustotal.com/file/711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c/analysis/1478793058/
linkhttps://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1532551770/
linkhttps://www.virustotal.com/file/093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e/analysis/1513643179/
linkhttps://www.virustotal.com/file/a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156/analysis/1500411506/
linkhttps://www.virustotal.com/file/90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0/analysis/1481655723/

Url

ValueDescriptionCopy
urlhttp://invoice.docs-sharepoint.com/profile/profile.php?id=[base64 e-mail address]
Phishing link on Nov 8
urlhttp://invoice.docs-sharepoint.com/profile/download.php
Redirect from phishing link on Nov 8
urlhttps://feed.networksupdates.com/feed/webfeed.xml
ZeuS C&C on Nov 8
urlhttp://info.docs-sharepoint.com/officeup.exe
EmployeeID-847267.doc downloading payload (Kronos) on Nov 10
urlhttp://www.networkupdate.club/kbps/connect.php
Kronos C&C on Nov 10
urlhttp://networkupdate.online/kbps/upload/c1c06f7d.exe
Payload DL by Kronos on Nov 10
urlhttp://networkupdate.online/kbps/upload/1f80ff71.exe
Payload DL by Kronos on Nov 10
urlhttp://networkupdate.online/kbps/upload/a8b05325.exe
Payload DL by Kronos on Nov 10
urlhttp://intranet.excelsharepoint.com/profile/Employee.php?id=[base64 e-mail address]
Phishing link on Nov 10
urlhttp://webfeed.updatesnetwork.com/feedweb/feed.php
SmokeLoader C&C
urlhttp://invoicesharepoint.com/gateway.php
ScanPOS C&C
urlhttp://intranet.excel-sharepoint.com/doc/employee.php?id=[base64 e-mail address]
Phishing link on Nov 14
urlhttp://profile.excel-sharepoint.com/doc/office.exe
EmployeeID-6283.doc downloading payload (Kronos) on Nov 14

File

ValueDescriptionCopy
fileEmployeeID-847267.doc
fileEmployeeID-6283.doc
fileEmployeeID-47267.zip
fileEmployeeID-47267.zip
fileEmployeeID-47267.pif
fileEmployeeID-47267.pif
fileEmployeeID-847267.doc
filec1c06f7d.exe
file1f80ff71.exe
filea8b05325.exe

Domain

ValueDescriptionCopy
domainadd.souloventure.org
RIG-v domain on Nov 8

Text

ValueDescriptionCopy
textBanking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex campaigns of 2015 have given way to ransomware and other payloads. Most recently, we observed several relatively large email campaigns distributing the Kronos banking Trojan. In these campaigns, though, Kronos acted as a loader with a new Point-of-Sale (POS) malware dubbed ScanPOS as the secondary payload.
textMalicious
textMalicious
textMalicious
textMalicious
textMalicious
textMalicious
textMalicious
textMalicious
textMalicious
textMalicious
textMalicious
text51/68
text53/68
text43/65
text31/57
text17/58
text52/60
text26/54
text0/61
text44/67
text36/58
text40/55

Hash

ValueDescriptionCopy
hash4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5
hash711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c
hash90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0
hash4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74
hasha78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156
hashe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
hashd0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984
hashd9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98
hash093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e
hashfd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462
hash269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3
hashf99d1571ce9be023cc897522f82ec6cc
hash9b931700d85a5fb986575f89c7c29d03dc5f4c1e
hashd0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984
hash73871970ccf1b551a29f255605d05f61
hashf74b2c624c6cffccec2680679a26fd863040828f
hashd9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98
hash4a03b999b87cfe3c44e617ac911a2018
hashb1a62023dc97668ce5ad0ed78788c79f797753c3
hash4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74
hash5cac0a88767a301d7df64cfc84ccc951
hash1e207f9cfadd92bf56a827cb6b7765abe0fa3bac
hash4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5
hashdfef3c6bf91ddbc2784bda187670983b
hashd97139b60ec56ddf87d5a1798ca840fa872a580f
hashfd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462
hash11180b265b010fbfa05c08681261ac57
hash0eed43d63b6f3e5e696e7b99cfa538c12a13321d
hash269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3
hashdc31516a473d8b9cb634bf1f48a7065f
hash10301bf7f1202c57df484ebcc125b84d8d427014
hash711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c
hashd41d8cd98f00b204e9800998ecf8427e
hashda39a3ee5e6b4b0d3255bfef95601890afd80709
hashe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
hash6fcc13563aad936c7d0f3165351cb453
hash8b1757b95b7b7f9c4dfa09b52b0d3c6451b269fc
hash093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e
hash83d21d808f7408ebcb3947cb88366172
hashef12b3c274c02a68f678b618828ee4c92a297e59
hasha78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156
hash8758b7984fa2f20ada64e95cf9d5d192
hashd35ee56d673fa44a72cf43e6c16f9270dea33f2d
hash90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0

Datetime

ValueDescriptionCopy
datetime2018-07-23T10:53:44
datetime2018-07-23T10:55:04
datetime2017-09-27T17:35:43
datetime2016-11-17T19:05:53
datetime2017-07-18T21:20:03
datetime2017-03-15T10:30:38
datetime2016-11-10T15:50:58
datetime2018-07-25T20:49:30
datetime2017-12-19T00:26:19
datetime2017-07-18T20:58:26
datetime2016-12-13T19:02:03

Threat ID: 68493dbbcacb3d99bea6dc8a

Added to database: 6/11/2025, 8:26:35 AM

Last enriched: 7/1/2025, 1:55:05 PM

Last updated: 8/11/2025, 5:51:33 PM

Views: 39

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats