Hackers have breached the archive server of the Pale Moon browser project and tainted older browser versions with malware.
The hack went undetected for more than 18 months, according to a breach notice published today by M.C. Straver, the Pale Moon lead developer.
The Pale Moon “archive server” is used to host older versions of the Pale Moon browser, in case users want to downgrade from the current stable version.
“A malicious party gained access to the at the time Windows-based archive server (archive.palemoon.org) which we’ve been renting from Frantech/BuyVM, and ran a script to selectively infect all archived Pale Moon .exe files stored on it (installers and portable self-extracting archives) with a variant of Win32/ClipBanker.DY (ESET designation),” Straver said today.
The Pale Moon dev said he learned of the incident yesterday, July 9, and immediately took down the compromised archive server.
Hack took place way back in 2017
“According to the date/time stamps of the infected files, [the hack] happened on 27 December 2017 at around 15:30,” Straver said, following a subsequent investigation.
“It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach.”
The Pale Moon dev said all Pale Moon 27.6.2 and earlier were infected. Curiously, archived older versions of the Basilisk web browsers were not tainted, despite being hosted on the same server.
Ironically, the Pale Moon project missed a chance to detect the intrusion in May this year, when the original archive server encountered a data corruption issue and went down.
“Unfortunately, after the incident that rendered the server inoperable, the files transferred to the new system were taken from a backup made earlier that was already in an infected state due to the passage of time that this breach has gone undetected, so the infected binaries were carried over to the new (CentOS) solution,” Straver said.
Going after cryptocurrency users
Users who downloaded files from the archive server are advised to scan their systems or wipe and reinstalls their workstations, to be on the safe side.
The Win32/ClipBanker.DY trojan is a what security researchers call a clipboard hijacker. After it infects victims it sits in an operating system’s background, watching the OS clipboard. This particular variant would watch for text snippets that looked like Bitcoin addresses, and would replace them with a pre-configured address, in the hopes of hijacking transactions towards a hacker’s own wallet.
The trojan had been previously analyzed in an ESET report dated March 2018. Other versions of this same malware family also had support for replacing Monero addresses.
More data breach coverage:
- Marriott faces $123 million GDPR fine in the UK for last year’s data breach
- Smart home maker leaks customer data, device passwords
- Canonical GitHub account hacked, Ubuntu source code safe
- ‘Silence’ hackers hit banks in Bangladesh, India, Sri Lanka, and Kyrgyzstan
- Hackers breached Greece’s top-level domain registrar
- 7-Eleven Japanese customers lose $500,000 due to mobile app flaw
- A hacker assault left mobile carriers open to network shutdown CNET
- 90% of data breaches in US occur in New York and California TechRepublic
- Avast says hackers breached internal network through compromised VPN profile
- Microsoft says new Dexphot malware infected more than 80,000 computers
- Baldwin’s team says digital ad strategy provides road map
- Facebook sues Chinese company over ad fraud
- 1 of the missing ‘moon trees’ in New Mexico believed found
- Why you gain weight as you get older: Scientists discover the body's ability to remove fat from where it's stored slows drastically as you age
- The First-Ever Banner Ad on the Web
- How to control the ads you see online
- The 7 Best Open-Source Web Browsers
- What’s the Best Firefox Alternative Browser for Linux?