Users visiting the popular Crunchyroll anime-streaming website from 03:30 to 06:00 Pacific Time on Sunday Nov. 5, were redirected to a seemingly legitimate website asking users to install an updated version of their respective video player. The version, of course, was tampered with.
While it’s uncertain how many users downloaded the malware during the 150 minutes the redirect was operating, the service blamed unauthorized access to its Cloudflare configuration. Although the window of opportunity for attackers was relatively brief, the streaming service is estimated to have 20 million users, making it plausible that some users might have been infected.
“The attackers redirected incoming visitors intended for the Crunchyroll.com website to a non-Crunchyroll-hosted server with the intent for visitors to download a malicious file, named “CrunchyViewer.exe.”,” reads the official Crunchyroll statement. “This file is malware directly targeting Windows PC web users.”
Subsequent analysis of the malicious “CrunchyrollViewer.exe” file offered to users revealed it was a default Metasploit payload that acted as a backdoor into the victim’s system. Although the command and control server to which the malware connected was also online briefly, the reason behind the attack is still unclear.
The official Crunchyroll statement also emphasizes that no servers were actually compromised and no user data was at risk. However, they posted a series of steps that potentially-affected users need to take. For instance, those who downloaded the file but did not execute it should immediately delete it and perform a system scan using a security solution.
Those who downloaded and installed the malware can find step-by-step instructions on how to remove it from their systems, here.