Crunchyroll Streaming Service Redirects Users to Malicious Software

This week, the Alert Logic team highlights the Crunchyroll Malicious Software Redirect and how QBot Adds Geographic Complexity to Malspam. Read the full report to learn more and get access to the week’s Top Malicious IP addresses.

Data Breach

Crunchyroll Streaming Service Redirects Users to Malicious Software

Last Saturday morning, users of the anime streaming service, Crunchyroll, were redirected to a new homepage, alerting subscribers of a “new media player” called CrunchyViwer. Visitors were prompted to download and run this new program to continue viewing content, but were if fact running malicious software on their systems.

Crunchyroll’s parent company, Ellation, stated that hackers hijacked the company’s Cloudflare configuration, steering users to a rouge server hosting the malware. The incident was considered an isolated attack and did not affect the actual website. The company is prompting users who downloaded and ran the software to delete the program, backup their data, and continue to scan for possible viruses and other malicious software.

References:  Crunchyroll Website Hack Tried To Infect Visitors With Malware | Crunchyroll's Website Redirected to Server With Malicious Software | Hybrid Analysis

Mitigation Strategies:

Malware

QtBot Downloader Adds Geographical Complexity to Malspam Campaigns

Researchers at Palo Alto Networks uncover new findings in the recent malspam campaigns. This time, it’s deploying Locky ransomware or the Trickbot banking Trojan depending on the victim’s geographical location. This comes in the form of a QtBot, a replacement for malicious VBScripts, to query websites that provide geo-IP services to pinpoint the target’s geographical location. The script is designed to deliver the TrickBot malware to targets in Great Britain, United Kingdom, Australia, Luxembourg, Belgium and Ireland. If outside of those locations, the target receives the Locky ransomware.

These attacks open up multiple fronts for network defenders and information security professionals as it creates multiple threats they need to address simultaneously. With these attack methods emerging, it’s critical for organizations to incorporate threat intelligence in their security strategy to be properly guided in the right direction and create the most effective response plan.

References: QtBot downloader discovered in geo-based Locky-Trickbot campaign | Locky or TrickBot? Depends Where You Are. Malicious Payload Delivery Tailored by Geographic Location

Mitigation Strategies:

Security Insights

More Security Insights and Industry News

Check out our new blog posts, plus you can follow the blog on our social media outlets.

This Week's Suspicious IP Addresses

139.162.55.215 185.94.111.1
98.123.248.88 203.94.248.88
61.142.209.202 185.35.63.139

*IP addresses provided by Recorded Future.