Pale Moon Archive Server Infected With Malware

Hackers broke the file server of the Pale Moon browser project and attacked the previous version of the browser with malicious software.

The lead developer of Pale Moon, Mr. C. Straver, said the hack was undetectable for more than 18 months.

The Pale Moon file server is used to host an earlier version of the Pale Moon browser, just in case if the user wants to downgrade from the current stable version.

“A malicious party gained access to the at the time Windows-based archive server (archive.palemoon.org) which we’ve been renting from Frantech/BuyVM and ran a script to selectively infect all archived Pale Moon .exe files stored on it (installers and portable self-extracting archives) with a variant of Win32/ClipBanker.DY (ESET designation),” Straver said today.

The Developer of Pale Moon said that he had heard about the breach on July 9 and immediately deleted the compromised archive server.

The breach happened in 2017

Attackers used scripts to inject the EXE files stored on the server with the Win32/ClipBanker.DY Trojan variant, so that users who later download the Pale Moon browser installer and extract the files themselves, to be infected by malware.

As said above the Pale Moon team discovered a security breach on July 9 and immediately shut down all connections to the affected server to prevent the malware from spreading to other users.

The exact date of the infection results from the timestamp of the infected file:

“According to the date/time stamps of the infected files, [the hack] happened on 27 December 2017 at around 15:30,” Straver said, following a subsequent investigation.

“It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach.”

In the month of May this year, the Pale Moon project missed the opportunity to spot an intrusion when the original archive server encountered data corruption and blocking issues.

The Pale Moon developer said that all Pale Moon was 27.6.2 and had already been infected. Interestingly, previous versions archived in the Basilisk web browser were not infected even though they were hosted on the same server.

“Unfortunately, after the incident that rendered the server inoperable, the files transferred to the new system were taken from a backup made earlier that was already in an infected state due to the passage of time that this breach has gone undetected, so the infected binaries were carried over to the new (CentOS) solution,” Straver said.

Pursuing users of cryptocurrency

It is recommended that users download files from the archive servers that scan their systems or remove and reinstall their desktops for added security.

Win32 / ClipBanker.DY – security researcher calls a trojan pirate clipboard. Once the victim is infected, it is at the bottom of the operating system and monitors the operating system clipboard. This particular variant looks for pieces of text that look like Bitcoin addresses and replaces them with addresses configured in the hope of hijacking transactions in the hacker’s wallet.