The popular Anime site Crunchyroll.com was hijacked to distribute malware, once discovered the hack, the operators have issued alerts informing visitors to don’t visit the site and later they took it offline.
And for our English-speaking audience
Please DO NOT access our website at the current time. We are aware of the issues and are working on it— Crunchyroll.de✨ (@Crunchyroll_de) November 4, 2017
The visitors were prompted to download and try a new desktop version of Crunchyroll software that was tainted with a malware.
“Their main page auto downloads a suspicious .exe file. So far I havent seen more info on their twitter about what happened.” reported a Reddit user.
It was a fake desktop application that was not offered by the Crunchyroll site.
According to Crunchyroll, attackers did not breach the website, it appears as a DNS hijack that redirected users to a bogus copy of the website used by the attackers to deliver the malware.
And for our English-speaking audience
Please DO NOT access our website at the current time. We are aware of the issues and are working on it— Crunchyroll.de✨ (@Crunchyroll_de) November 4, 2017
At the time, the situation has been solved.
We've just gotten the all-clear to say that https://t.co/x1dBCM9X9C is back online!! Thank you SO MUCH for your patience ~ ❤️ pic.twitter.com/FQRRHowvp6
— Crunchyroll (@Crunchyroll) November 4, 2017
Lawrence Abrams from Bleepingcomputer.com has analyzed the malicious code delivered by the website, once executed it would extract an embedded base64 encoded file to %AppData%\svchost.exe and execute it.
When the malware starts, it will create an autostart called Java that executes the %AppData%\svchost.exe program when the victim logs into the computer.
According to the security researcher Bart Blaze who followed the hack, the malware was a keylogger.
“There are claims the malware will additionally install ransomware – I have not observed this behaviour, but it is definitely possible once the C2 sends back (any) commands. More likely, it is a form of keylogger – malware that can record anything you type, and send it back to the attacker.” wrote Blaze.
The good news for users infected by the malware is that it is easy to remove even if it is detected only by 25 out of 67 antivirus software.
Below the instructions published by Lawrence Abrams from Bleepingcomputerfrom;
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Crunchyroll, DNS hack)
[adrotate banner=”5″]
[adrotate banner=”13″]