Pierluigi Paganini November 05, 2017

The popular Anime site Crunchyroll.com was hijacked to distribute malware, according to the operators the site was not hacked.

The popular Anime site Crunchyroll.com was hijacked to distribute malware, once discovered the hack, the operators have issued alerts informing visitors to don’t visit the site and later they took it offline.

And for our English-speaking audience
Please DO NOT access our website at the current time. We are aware of the issues and are working on it

— Crunchyroll.de✨ (@Crunchyroll_de) November 4, 2017

The visitors were prompted to download and try a new desktop version of Crunchyroll software that was tainted with a malware.

“Their main page auto downloads a suspicious .exe file. So far I havent seen more info on their twitter about what happened.” reported a Reddit user.

It was a fake desktop application that was not offered by the Crunchyroll site.

According to Crunchyroll, attackers did not breach the website, it appears as a DNS hijack that redirected users to a bogus copy of the website used by the attackers to deliver the malware.

And for our English-speaking audience
Please DO NOT access our website at the current time. We are aware of the issues and are working on it

— Crunchyroll.de✨ (@Crunchyroll_de) November 4, 2017

At the time, the situation has been solved.

We've just gotten the all-clear to say that https://t.co/x1dBCM9X9C is back online!! Thank you SO MUCH for your patience ~ ❤️ pic.twitter.com/FQRRHowvp6

— Crunchyroll (@Crunchyroll) November 4, 2017

Lawrence Abrams from Bleepingcomputer.com has analyzed the malicious code delivered by the website, once executed it would extract an embedded base64 encoded file to %AppData%\svchost.exe and execute it.

When the malware starts, it will create an autostart called Java that executes the %AppData%\svchost.exe program when the victim logs into the computer.

According to the security researcher Bart Blaze who followed the hack, the malware was a keylogger.

“There are claims the malware will additionally install ransomware – I have not observed this behaviour, but it is definitely possible once the C2 sends back (any) commands. More likely, it is a form of keylogger – malware that can record anything you type, and send it back to the attacker.” wrote Blaze.

The good news for users infected by the malware is that it is easy to remove even if it is detected only by 25 out of 67 antivirus software.

Below the instructions published by Lawrence Abrams from Bleepingcomputerfrom;

1. Open the Windows Registry Editor by typing regedit in the Start Menu search bar. When you see regedit.exe or Registry Editor in the search results, click on it to launch the program.
2. When the Registry Editor is open, navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and single-left click on the Run key. You should now see in the right pane a value called Java.
3. Now right-click on the Java entry and select Delete as shown in the image below.
4. When it asks you to confirm that you wish to delete the value, click on the Yes button.
5. Now reboot your computer and when you log back in, the malware executable will no longer be started.
6. Now navigate to the %AppData% (Typically C:\users\[user_name]\appdata\roaming) folder and you should see a program called svchost.exe.
7. Right-click on this file and select Delete to delete it from the computer.
8. Now perform a scan using your installed security software. If you do not have a security software, now may be a good time to install one.
9. If this malware was indeed a keylogger, you may also want to consider changing the password to any sites that you logged into after installing this fake Crunchyroll program.

Pierluigi Paganini

(Security Affairs – Crunchyroll, DNS hack)

[adrotate banner=”5″]

[adrotate banner=”13″]