Popular Anime site Crunchyroll.com was taken offline this morning due to a hack that caused visitors to be prompted to download a desktop version of their software. This software, though, was not as it seemed because it also included malware that was installed along with it.

When the Crunchyroll staff in Germany woke up this morning they were greeted with news that something was not quite right with the site. Due to this they started issuing alerts telling visitors to stay away from the site for the time being.

While the hack was ongoing, visitors were greeted with a prompt to download and try a new desktop application. This desktop application was not one offered by the site themselves, but one being offered by the hackers in order to distribute malware.

Crunchyroll.com During the Hack
Source: Reddit

According to Crunchyroll, the site itself was not hacked, but rather was the victim of a DNS hijack of some sort. Whether his DNS hijack caused a clone of the site under the attacker control to be shown to visitor or some other redirect is currently unknown.

BleepingComputer has contacted Crunchyroll for more details regarding the hack, but at the time of this writing have not heard back.

According to the site's twitter feed, the issue has been resolved, Crunchyroll is back online, and its safe for visitors once again.

Update 11/5/17: CrunchyRoll issued a statement detailing that this was a DNS hijack rather than their site itself being compromised. According to CrunchyRoll, the attackers were able to gain access to their Cloudflare account in order to redirect visitors to another site under the attackers control. This site was then used to distribute the CrunchyViewer.exe malware program.

So what exactly was installed by this CrunchyViewer.exe download?

When the promoted CrunchyViewer.exe program was downloaded and executed, it would extract an embedded base64 encoded file to %AppData%\svchost.exe and execute it. You can see the base64 encoded file in the screenshot of the offered Crunchyroll.exe file below.

Embedded Base64 Encoded File
Embedded Base64 Encoded File

When the malicious executable starts, it will create an autostart called Java that launches the %AppData%\svchost.exe program when the victim logs into the computer. 

Unfortunately, it is not currently known what this malicious executable does at this point. According to a detailed writeup by security researcher Bart Blaze, he feels that it may be a keylogger. As more information becomes available about the malware, we will update this article.

How can you remove the Crunchyroll related malware?

Thankfully, removing the malware distributed by the Crunchyroll hack is fairly easy. The only issue is that this malware is not currently detected by many security vendors, so we will need to perform manual removal steps.

  1. Open the Windows Registry Editor by typing regedit in the Start Menu search bar. When you see regedit.exe or Registry Editor in the search results, click on it to launch the program.
     
  2. When the Registry Editor is open, navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and single-left click on the Run key. You should now see in the right pane a value called Java as shown below.
    Java Registry Value
    Java Registry Value
  3. Now right-click on the Java entry and select Delete as shown in the image below.
    Delete Value
    Delete Value
  4. When it asks you to confirm that you wish to delete the value, click on the Yes button.
     
  5. Now reboot your computer and when you log back in, the malware executable will no longer be started.
     
  6. Now navigate to the %AppData% (Typically C:\users\[user_name]\appdata\roaming) folder and you should see a program called svchost.exe.
    Svchost.exe in AppData Folder
    Svchost.exe in AppData Folder
  7. Right-click on this file and select Delete to delete it from the computer.
     
  8. Now perform a scan using your installed security software. If you do not have a security software, now may be a good time to install one.
     
  9. If this malware was indeed a keylogger, you may also want to consider changing the password to any sites that you logged into after installing this fake Crunchyroll program.

Your computer is now clean from the malware related to the Crunchyroll hack.