North Korean state-sponsored advanced persistent threat operation Kimsuky has exploited the Mail.ru email service of Russian online social media platform VK to launch phishing intrusions aimed at exfiltrating credentials that could be leveraged for account takeovers and other attacks, according to The Hacker News.
Malicious emails sent by Kimsuky using Mail.ru's "mail.ru", "bk.ru", "internet.ru", "list.ru", and "inbox.ru" domains impersonated financial organizations and web portals, including the MYBOX cloud storage service of Naver, which had been exploited in the group's attacks involving U.S., South Korean, and Japanese email address domains earlier this year, a report from South Korean cybersecurity firm Genians revealed. Further analysis also showed that the phishing emails have also been delivered through a breach email server from U.S.-based Evangelia University. Such findings come as Kimsuky has been gaining notoriety in email-based social engineering, with the APT noted by the U.S. State Department, National Security Agency, and the FBI to have facilitated covert attacks through misconfigured DNS Domain-based Message Authentication, Reporting and Conformance record policies.
