Popular anime streamer Crunchyroll is warning users to check their systems for malware, after attackers got access to its Cloudflare config and targeted Windows users with a malicious file.
The attack only lasted 150 minutes – from 0330 to 0600 Pacific Time on Sunday November 5 (when owner Ellation took the site down). As the site has 20 million users, that's still plenty of time for people to download the malicious file.
During the attack, as this post explains, people trying to visit Crunchyroll were directed to a site impersonating the service, offering “CrunchyrollViewer.exe” to visitors.
Infosec bod Bart Blaze took a look at what was in the malware here.
He writes that the malware dropped a
svchost.exe in the user's machine, and while running, it went back to a command-and-control server to download a Metasploit Meterpreter module.
Either Crunchyroll's response was fast enough to stop any truly nasty outcomes, or the attacker was merely trying his hand at malware, because that's as far as things went.
Anyone infected by the attack can get rid of the infection with a few steps (outlined at the Crunchyroll post linked above): remove the malicious .exe file, get rid of a malicious Java Run key from their registry, delete the
svchost.exe file, and run an antivirus scan. ®