Hacked Pale Moon server distributed infected versions of the browser
Malefactors compromised the server in December, 2017, however it was disconnected only recently.
The developers of the Pale Moon browser reported about hacking by unknown attackers of their archive server, as a result of which the files stored on it were infected with malware.
Pale Moon is an open source browser focused on customization and performance enhancement. The browser is based on the Firefox code, but uses its own Goanna engine. Last year, the number of users of Pale Moon ranged from 750 thousand to 1.25 million.
According to the developers, the archive server archive.palemoon.org was hacked, and the executable files stored on it, including installers and PE files, had a malware downloader detected by ESET solutions like Win32 / ClipBanker.DY. When a victim launches an infected file, a backdoor is installed on its system.
The incident was discovered on July 9, and the developers immediately shut down the compromised server. However, as shown by the timestamps in the files, the attackers got access to it back in December 2017. Cybercriminals could fake timestamps, however, judging by the backup files, the dates are reliable. It seems that the attackers injected the bootloader not remotely, but locally, adding 3 additional megabytes to each file.
The investigation of the incident is complicated by the lack of sufficient data that was destroyed as a result of the server shutdown in May of this year. Suddenly, the server went down, and all the registry entries were gone, so it’s difficult to establish how the attackers managed to push it.
According to the developers of the browser, hacking was made possible due to insufficient server protection by the hosting provider. For this reason, the team of Pale Moon has changed the hosting provider.
Attackers infected executables for Pale Moon version 27.6.2 and earlier. Files stored outside the archive server were not affected by the attack. Users who have downloaded a browser not from archive.palemoon.org have nothing to fear. Those who could get an infected version of Pale Moon are advised to conduct a full system scan for malware.