VERY IMPORTANT

The spam messages we observed used several different tactics to deliver malicious payloads to users, including macros, packager shell objects (aka OLE objects), and links. The first example, a campaign observed on May 17, 2016, uses a fake Microsoft security alert social engineering lure to trick the victim into opening a link that leads to an executable download. The user would have to then open the downloaded executable in order to infect their computer. In this case the payload was Kronos, a banking Trojan which was introduced in July of 2014 [1]. This instance of Kronos was configured to target US, Canadian, and Australian financial sites.