If you were among the swathe of people visiting the popular anime streaming service Crunchyroll this weekend, you may have inadvertently downloaded malicious software. After the domain name service for the website was hijacked, Crunchyroll were dishing out malicious downloads alongside their usual repertoire of Japanese cartoons.

The attack purportedly took place on Saturday 4th November and lasted 150 minutes in total. The hackers were able to access Crunchyroll’s Cloudflare configuration file to redirect browsers to a fake homepage. The fake homepage then offered up a file download called ‘Crunchyrollviewer.exe’ to fool people into downloading and installing the malicious software.

According to an announcement from Ellation, Crunchyroll’s parent company:

We’ve identified this as an isolated attack on our Cloudflare layer, and not Crunchyroll itself. As such, our servers were not compromised in any way, and none of our users’ secure information and data was at risk. We take security very seriously, and will pursue this malicious attack on our users to the fullest extent of the law. We will continue to provide updates as we gather more information.

It’s of course a good thing that customers data remains safe, there are still victims out there who have downloaded and installed the malicious software; potentially resulting in fraudulent activity. Securityboulevard have reported that once installed, the malware downloads Meterpreter, which can allow attackers to completely control a machine.

If you are one of those unfortunate enough to have been deceived, Ellation have provided the steps necessary to remove the software:

If you downloaded but did not run the file, you are not exposed to the effects of this malware.

  • Delete “CrunchyViewer.exe” from your file system
  • As precaution, please perform a scan with an antivirus/anti-malware product

If you downloaded and ran the “CrunchyViewer.exe” application:

  • Delete “CrunchyViewer.exe” from your file system
  • Remove the malicious “Java” Run key (You can find Information on how to edit the Windows Registry in the Microsoft support database if you are unfamiliar with the steps)
  • Open Regedit, and browse to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Delete the Java key
  • Remove the malicious binary, by navigating to: %appdata%\Roaming (for example: C:\Users\Yourusername\AppData\Roaming\)
  • Delete the ‘svchost.exe’ file
  • Perform a scan with your installed antivirus product

Crunchyroll now join the ever growing list of companies that have become victim to a high-profile hacking incident this year. CeX, Equifax and Deloitte and now Crunchyroll.

If you think your business may have been hacked, contact us, we can assist you.