Anatomy of the Crunchyroll Hack and a Cursory Static Analysis of Malware (ISE Blog)


If you are an anime enthusiast or just a Dragon Ball and a Yu-Gi-Oh! head, like me, you may have come across Crunchyroll (not linked since this security incident is still ongoing as of this post) as a streaming solution. Crunchyroll is a popular paid streaming platform for the viewing of East Asia media (e.g., anime, manga, music).

On Nov. 4, 2017, an attacker(s) targeted Crunchyroll’s platform to infect its users’ computer systems to hold the user’s data stored their system hostage via DNS hijacking. Details known to date suggest that the malware (a Trojan virus) downloaded from the malicious domain impersonating Crunchyroll’s site, contacts a command & control (C&C) server, which sends ransomware to the infected system. The ransomware, then, encrypts the infected computer system’s hard drive, on reboot, until the ransom is paid — most likely through a Bitcoin payment.