Crunchyroll Website Redirected Visitors to Malicious Server via DNS Hijacking

On November 4, anime site Crunchyroll became a victim of a DNS attack when hackers accessed the site’s Cloudflare configuration and altered it to redirect visitors to a malicious server programmed to infect systems running Windows OS with malware. This malware, namedCrunchyViewer.exe to masquerade as a video application, was determined by some analysts to be a remote access trojan with keylogging capabilities. Crunchyroll administrators resolved the issue and issued a notice to alert potential victims. The NJCCIC recommends all Crunchyroll visitors who accessed the site during the affected timeframe and downloaded the malicious file review the CrunchyRoll notice and follow the malware-removal instructions provided if their antivirus software did not detect and remove the malware. We also recommend that website owners and administrators maintain awareness of various DNS attacks and properly configure and secure their DNS infrastructure and applications, including configuring forwarders to only process recursive queries from internal IP addresses, to reduce their risk.