Popular anime site Crunchyroll back online after it was hijacked to serve up malware
Crunchyroll said that its servers and user data were not compromised.
The popular anime website Crunchyroll went offline over the weekend after hackers hijacked the site to serve up malware to its visitors. While the attack was ongoing, the site's visitors were prompted to download a desktop version of their software, which in reality, contained a malware that was targeting Windows PC users. The site, however, is back online now and the issue has since been resolved.
Crunchyroll responded fairly quickly to incident, warning users on Twitter to not access their website while they worked on resolving the issue. The site later said that hackers had managed to gain access to its Cloudflare configuration to serve up malware to its visitors.
"At 3:30am PST this morning, malicious individuals gained access and altered our Cloudflare configuration. We took down the site at 6:00am PST as a precaution and were able to re-secure and restore the correct configuration to our Cloudflare service at 9:00am PST. The Crunchyroll service was fully restored by 9:30am," Crunchyroll said in a blog.
The site said that this was an "isolated attack" on the site's Cloudflare layer and "not on Crunchyroll itself". The site also said that its servers and users data were not compromised.
Malware may have been a backdoor
However, it is still unclear as to how many users were affected by the attack. It also remains uncertain as to what kind of malware was distributed by the hackers. IBTimes UK has reached out to Crunhyroll for further clarity on the matter.
According to security researcher Bart Balze and malware analysis service ANY.RUN, the malware downloaded Meterpreter, which is essentially a kind of backdoor that allows hackers complete control over infected computers. According to Blaze, the hacker who created the malware allegedly goes by the name Ben.
"This hack shows that any website or organisation is, in theory, vulnerable to someone hijacking the website, and consequently download and install malware on a user's machine," Blaze said in a blog. "While it is uncertain what exactly happened, CrunchyRoll took correct action by taking the website down not too long after."
How to remove the malware?
Crunchyroll has provided a set of instructions for those who may have unknowingly downloaded the malware on how to go about removing it from their systems.
- Delete "CrunchyViewer.exe" from your file system
- Remove the malicious "Java" Run key (You can find Information on how to edit the Windows Registry in the Microsoft support database if you are unfamiliar with the steps)
- Open Regedit, and browse to: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
- Delete the Java key
- Remove the malicious binary, by navigating to: %appdata%Roaming (for example: C:UsersYourusernameAppDataRoaming)
- Delete the 'svchost.exe' file
- Perform a scan with your installed antivirus product