Phishing Campaign Alert by CERT IL

"The National Cyber Directorate has reported an active phishing campaign in Israel. A file containing identifiers is attached to this alert. It is recommended to monitor them in all relevant organizational security systems. Details The campaign is managed using an email campaign management software called YAMM by a French company named Talarian. The software operates and is integrated with Google Cloud services. The email message includes text that impersonates an urgent message from well-known organizations in Israel claiming a copyright violation by the recipient. To prove the violation the recipient is asked to download a file (a RAR archive containing images that allegedly violate copyrights) from a link pointing to the appspot.com service and then via a URL shortening service to Dropbox. Downloading and running the file will install a known malware called RHADAMANTHYS stealer. Mitigation Measures A file containing identifiers is attached to this alert. It is recommended to monitor them in all relevant organizational security systems. It is recommended to suspect emails with links containing the string ""/-dot-yamm-track.appspot.com"". While this is not a unique identifier as legitimate emails may also come from this system it is suspicious under the circumstances of the current campaign especially if the email concerns copyright infringement. It is recommended to inform all users about the campaign and remind them not to open suspicious links and attachments."