Developers of the open source web browser Pale Moon revealed on Wednesday that the project’s archive server was compromised and all executable files were infected with malware.
Pale Moon is an open source browser that focuses on customization and efficiency. The project is forked from Firefox code, but it uses its own layout engine (Goanna) and still provides support for some legacy Firefox extensions. Last year, it reported having somewhere between 750,000 and 1.25 million users.
Pale Moon informed users that its archive server hosted at archive.palemoon.org was hacked and archived executables, including installers and PE files, were altered to include a malware dropper tracked by ESET as Win32/ClipBanker.DY. When users would run the malicious files, a piece of malware described as a “trojan/backdoor” would be dropped on their systems.
The incident was discovered on July 9 and the impacted server was immediately shut down. However, an investigation revealed, based on the timestamps of infected files, that the attackers may have gained access to the server as early as December 27, 2017.
“It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach,” Pale Moon developers said in a post on their forum.
The targeted files were likely infected locally rather than being uploaded remotely, with roughly 3 Mb of data being added to each of them.
However, Pale Moon developers have limited data for their investigation due to the fact that the archive server became completely inoperable in late May 2019, which resulted in system logs that could have contained information on how the attacker got in getting lost. The incident in May might have been caused by the same attackers or someone with similar access.
The most likely scenario, Pale Moon maintainers believe, is that the attack was possible due to poor security on the part of the VM provider, which is why a new hosting service will be used.
Pale Moon determined that the hackers altered all archived executable files for version 27.6.2 and below of the browser. Files stored outside the archive server were not affected.
Users who haven’t downloaded files from archive.palemoon.org are “almost certainly in the clear.” Users who are concerned that they may have downloaded a malicious file have been advised to use the PGP signature files or other methods described in the forum post to make sure they haven’t been tampered with.
“If you have inadvertently run an infected installer or portable self-extractor, I suggest you do a full scan and clean of your system with reputable antivirus software to clean this malware,” users have been advised.