Popular Anime crunchyroll.com hijacked to distribute a keylogger

The popular Anime site Crunchyroll.com was hijacked to distribute malware, according to the operators the site was not hacked.

The popular Anime site Crunchyroll.com was hijacked to distribute malware, once discovered the hack, the operators have issued alerts informing visitors to don’t visit the site and later they took it offline.

The visitors were prompted to download and try a new desktop version of Crunchyroll software that was tainted with a malware.

“Their main page auto downloads a suspicious .exe file. So far I havent seen more info on their twitter about what happened.” reported a Reddit user.

It was a fake desktop application that was not offered by the Crunchyroll site.

According to Crunchyroll, attackers did not breach the website, it appears as a DNS hijack that redirected users to a bogus copy of the website used by the attackers to deliver the malware.

Lawrence Abrams from Bleepingcomputer.com has analyzed the malicious code delivered by the website, once executed it would extract an embedded base64 encoded file to %AppData%\svchost.exe and execute it.

When the malware starts, it will create an autostart called Java that executes the %AppData%\svchost.exe program when the victim logs into the computer.

According to the security researcher Bart Blaze who followed the hack, the malware was a keylogger.

“There are claims the malware will additionally install ransomware – I have not observed this behaviour, but it is definitely possible once the C2 sends back (any) commands. More likely, it is a form of keylogger – malware that can record anything you type, and send it back to the attacker.” wrote Blaze.

The good news for users infected by the malware is that it is easy to remove even if it is detected only by 25 out of 67 antivirus software.

 

To read the original article : http://securityaffairs.co/wordpress/65195/hacking/crunchyroll-hijacked-keylogger.html

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *