Pale Moon says hackers added malware to older browser versions

Server breach at Pale Moon browser project goes undetected for 18 months.

Pale Moon website

Hackers have breached the archive server of the Pale Moon browser project and tainted older browser versions with malware.

The hack went undetected for more than 18 months, according to a breach notice published today by M.C. Straver, the Pale Moon lead developer.

The Pale Moon "archive server" is used to host older versions of the Pale Moon browser, in case users want to downgrade from the current stable version.

"A malicious party gained access to the at the time Windows-based archive server (archive.palemoon.org) which we've been renting from Frantech/BuyVM, and ran a script to selectively infect all archived Pale Moon .exe files stored on it (installers and portable self-extracting archives) with a variant of Win32/ClipBanker.DY (ESET designation)," Straver said today.

The Pale Moon dev said he learned of the incident yesterday, July 9, and immediately took down the compromised archive server.

Hack took place way back in 2017

"According to the date/time stamps of the infected files, [the hack] happened on 27 December 2017 at around 15:30," Straver said, following a subsequent investigation.

"It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach."

The Pale Moon dev said all Pale Moon 27.6.2 and earlier were infected. Curiously, archived older versions of the Basilisk web browsers were not tainted, despite being hosted on the same server.

Ironically, the Pale Moon project missed a chance to detect the intrusion in May this year, when the original archive server encountered a data corruption issue and went down.

"Unfortunately, after the incident that rendered the server inoperable, the files transferred to the new system were taken from a backup made earlier that was already in an infected state due to the passage of time that this breach has gone undetected, so the infected binaries were carried over to the new (CentOS) solution," Straver said.

Going after cryptocurrency users

Users who downloaded files from the archive server are advised to scan their systems or wipe and reinstalls their workstations, to be on the safe side.

The Win32/ClipBanker.DY trojan is a what security researchers call a clipboard hijacker. After it infects victims it sits in an operating system's background, watching the OS clipboard. This particular variant would watch for text snippets that looked like Bitcoin addresses, and would replace them with a pre-configured address, in the hopes of hijacking transactions towards a hacker's own wallet.

The trojan had been previously analyzed in an ESET report dated March 2018. Other versions of this same malware family also had support for replacing Monero addresses.

More data breach coverage: