VERY IMPORTANT

Banking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex campaigns of 2015 have given way to ransomware and other payloads. Most recently, we observed several relatively large email campaigns distributing the Kronos banking Trojan. In these campaigns, though, Kronos acted as a loader with a new Point-of-Sale (POS) malware dubbed ScanPOS as the secondary payload. These campaigns not only represent an uptick in our observed instances of Kronos banker but also a new application of the malware that was first introduced in June 2014 and that we most recently described in relation to campaigns targeting Canada.