CrunchyViewer.exe

[erengy]

What happened?

Crunchyroll's website was hijacked, displaying a page with the following fake announcement:

A New Beginning, A New Media Player… Crunchyroll Viewer Stream your favorites animes in full 4k HD from anywhere! Support lasts crunchyroll features, inbuilt microtransactions management. Get your FREE trial now !

Unsuspecting users downloaded and executed a file named CrunchyViewer.exe, which was a malicious program.

Crunchyroll restored their website to normal, and published a blog post regarding the details of the attack.

What is the connection with Taiga?

Simply put, CrunchyViewer.exe is a modified version of Taiga, bundled with a virus. The people behind this incident took the source code of Taiga and renamed some instances of "Taiga" to "Crunchyroll" or "crunchyroll viewers". They didn't bother with changing them all, or distributing the application along with its data files. I imagine that they wanted to make it look like a legitimate application, with minimal effort.

Am I infected?

If you downloaded CrunchyViewer.exe and ran it on your Windows machine, then your system is likely infected. Otherwise, you should be safe.

How can I clean my system?

1. Run regedit, go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the registry value named Java.
2. Open %AppData% directory (e.g. C:\Users\YOUR_USERNAME\AppData\Roaming\) and delete the file named svchost.exe.

If you don't know how, Bleeping Computer has a guide with pictures, describing these steps.

You may also want to block 145.239.41.131:6969.

Note that following these instructions may not suffice, so you should take other precautions such as scanning your computer with Malwarebytes.

See Hybrid Analysis and Blaze's Security Blog for technical details.

[bela333]

Is it possible to set up some sort of tracking, so we know how "popular" the malicious version of this software is? It seems like it GETs "taiga.moe/update/update_beta.xml" with the User Agent "Crunchyroll/1.3" whenever it starts up.

[erengy]

My server logs indicate that there are currently 3000+ IP addresses using Crunchyroll/1.3 as their user-agent string.

[Sunconure11]

These are the IPs and ports associated with it:

145.239.41.131:6969

104.131.84.31:80

151.101.0.133:443

[ShaunV2]

CR is fine now: https://twitter.com/Crunchyroll/status/926849277430718464 https://www.reddit.com/r/anime/comments/7arnns/crunchyroll_is_safe_and_back_to_normal/

It was already fixed before I even woke up.

[erengy]

I'm thinking if it'd be possible for me to release a targeted update to all infected machines, using Taiga's auto-update mechanism.

Is there anyone who can give me clear instructions on how to completely get rid of the malware? I'm not sure if simply deleting a registry key and an executable file suffices, and I don't have a testing environment at the moment.

At the very least, I might be able to release a pseudo-update to infected machines to inform the users about the incident and direct them to some useful web page.

[agrecascino]

https://github.com/agrecascino/CRCleaner Deploy this maybe?

[erengy]

@bartblaze has informed me that deleting the registry value and the executable file is indeed sufficient. I've gone ahead and created a new branch called crunchyfix. If anyone would like to test it, you may download it from here.

@agrecascino It seems that our code is quite similar. Is it necessary for the application to be run as administrator?

[agrecascino]

You could remove the check and test. I'm not sure how windows registry operations work.

[agrecascino]

It also kills the process if it's still running, and I'm not sure if that works without admin.

[bartblaze]

Since the registry key is in HKCU, administrator permission is not needed. Same goes for the process, as it runs in user-mode.

And, while indeed removing the registry key and the binary is sufficient, I can't speak for any second-stage payload that may have been downloaded in the early stage of the attack - however; when I investigated shortly after, I didn't observe any secondary malware.

Hope this helps, and thanks to @erengy for including a fix!

[erengy]

@agrecascino I did test on two separate machines. The application was able to delete the registry value, terminate the process, and delete the executable file, all without being elevated. I was just wondering if it might behave differently on different systems, as I'm not that familiar with how permissions work.

[agrecascino]

@erengy awesome, this can be automagically deployed?

[erengy]

I've now deployed an update that specifically targets infected machines. It displays this message to the user (let me know if you think that the wording can be improved):

IMPORTANT NOTICE: Crunchyroll's website was hacked. Unfortunately, you downloaded a file named "CrunchyViewer.exe" from there, which is in fact a virus.

If you press the Download button, this application will download an update that will try to clean your system automatically.

Otherwise, you may try to do it manually by following the instructions at this page: (link)

It should work, but I'd really appreciate it if someone with an infected VM could confirm.

[agrecascino]

@erengy Can confirm it works.

[Atario]

@erengy, you are awesome.

[sachaw]

way to save crunchyroll's ass for them @erengy Would be interesting to dig through all forks and work out who the culprit is (only if they did fork it).

[wopian]

Why would they have forked it? Easier to just clone it and make changes locally, leaving no traces (or even an account) behind.

[sachaw]

look at things like this in the past, its surprising how stupid people are.

[erengy]

It's been over a month since the incident, so I think we can consider this issue closed. For those who'd like to learn more, I've written a detailed blog post to share the events from my point of view.