Popular Anime site Crunchyroll.com was taken offline this morning due to a hack that caused visitors to be prompted to download a desktop version of their software. This software, though, was not as it seemed because it also included malware that was installed along with it.
When the Crunchyroll staff in Germany woke up this morning they were greeted with news that something was not quite right with the site. Due to this they started issuing alerts telling visitors to stay away from the site for the time being.
And for our English-speaking audience— Crunchyroll.de (@Crunchyroll_de) November 4, 2017
Please DO NOT access our website at the current time. We are aware of the issues and are working on it
While the hack was ongoing, visitors were greeted with a prompt to download and try a new desktop application. This desktop application was not one offered by the site themselves, but one being offered by the hackers in order to distribute malware.
According to Crunchyroll, the site itself was not hacked, but rather was the victim of a DNS hijack of some sort. Whether his DNS hijack caused a clone of the site under the attacker control to be shown to visitor or some other redirect is currently unknown.
Update: We have NOT been hacked. At the moment, it appears to be DNS hijacking.— Crunchyroll.de (@Crunchyroll_de) November 4, 2017
BleepingComputer has contacted Crunchyroll for more details regarding the hack, but at the time of this writing have not heard back.
According to the site's twitter feed, the issue has been resolved, Crunchyroll is back online, and its safe for visitors once again.
Update 11/5/17: CrunchyRoll issued a statement detailing that this was a DNS hijack rather than their site itself being compromised. According to CrunchyRoll, the attackers were able to gain access to their Cloudflare account in order to redirect visitors to another site under the attackers control. This site was then used to distribute the CrunchyViewer.exe malware program.
When the promoted CrunchyViewer.exe program was downloaded and executed, it would extract an embedded base64 encoded file to %AppData%\svchost.exe and execute it. You can see the base64 encoded file in the screenshot of the offered Crunchyroll.exe file below.
When the malicious executable starts, it will create an autostart called Java that launches the %AppData%\svchost.exe program when the victim logs into the computer.
Unfortunately, it is not currently known what this malicious executable does at this point. According to a detailed writeup by security researcher Bart Blaze, he feels that it may be a keylogger. As more information becomes available about the malware, we will update this article.
Thankfully, removing the malware distributed by the Crunchyroll hack is fairly easy. The only issue is that this malware is not currently detected by many security vendors, so we will need to perform manual removal steps.
Your computer is now clean from the malware related to the Crunchyroll hack.