The Pale Moon web browser team announced today that their Windows archive servers were breached and the hackers infected all archived installers of Pale Moon 27.6.2 and below with a malware dropper on December 27, 2017.
According to the Pale Moon data breach post-mortem, the browser's main distribution channels were in no way affected:
This never affected any of the main distribution channels of Pale Moon, and considering archived versions would only be updated when the next release cycle would happen, at no time any current versions, no matter where they were retrieved from, would be infected.
Of note: only the .exe files on the server at the top level were affected. Files inside the archives (extract-able with 7-zip from the installers/portable versions or files inside the zip archives) were not modified.
1 Malware 1.1 The Importance of a Malware Free System 1.2 The Utility of Antivirus Tools 1.3 Preventing Malware Infections 1.4 Detecting Malware Infections 1.5 Watering Hole Attacks 2 Firmware Trojans 2.1 Virtualizers and Hardware Compromise 2.2 The Promise of Libre Firmware 3 References Malware[edit ].
A script was used by the attackers to inject the .exe files stored on the servers with a Win32/ClipBanker.DY Trojan variant so that users who would subsequently download Pale Moon browser installers and self-extracting archives would be infected with malware.
The Pale Moon team found out about the security breach on July 9 and it immediately severed all connections to the affected server (i.e., archive.palemoon.org) to stop the malware from further spreading to other users.
The exact infection date was deduced from the infected files' time stamps:
According to the date/time stamps of the infected files, this happened on 27 December 2017 at around 15:30. It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach.
The Pale Moon team was unable to gather more info on the security incident because of a separate incident (possibly related to this breach) took down the archive server on May 26.
That incident led to "widespread data corruption and being unable to boot or retrieve data from it. Unfortunately, that also means that system logs providing exact details of the breach were lost at that time."
As shown by the timestamps of the infected files, the attackers infected them locally using an automated process that injected a malicious payload of roughly 3MB into each executable file stored on the compromised server.
While the exact method used by the hackers to infiltrate the Pale Moon server is not yet known, the infection was possible via one of the following alternatives:
• Local access to the system (physical access), OR
• Access to the VM from a different VM on the same node (insufficient separation), OR
• Access to the VM from a different VM on the same local subnet through and insecure/hijacked remote desktop session (insufficient separation), OR
• Access to the VM file system via administrative access to the O.S. (potentially after brute-forcing credentials) over the network (e.g. SAMBA/WFS) (insufficient VMnet separation/not blocking FS ports in the node/DC), OR
• Access to the VM through remote access via the VM control panel (insecure control panel of the VM provider), OR
• An issue with the provided Windows Server image (which was pre-activated/volume licensed by the VM provider).
The campaign has been active since May last year, with users previously duped into downloading the malware with a fake version of an adult app — but now those behind Triout have altered their tactics, distributing the malware with a re-purposed version of a legitimate privacy tool that has been ripped from the Google Play store.
Users who have never downloaded installers are "almost certainly in the clear" as explained by the development team in the Pale Moon breach post-mortem.
To make sure, they can go through the steps for checking if the installers they downloaded were tampered with listed HERE, while those who downloaded an infected file should "do a full scan and clean of your system with reputable antivirus software to clean this malware."
The malware dropper used in the attack
While a Win32/ClipBanker.DY variant analyzed by ESET researchers back in March 2018 would automatically replace cryptocurrency wallets in its victims' clipboard, the ClipBanker.DY variant used to infect the Pale Moon archived installers is indeed a malware dropper as disclosed in the breach post-mortem.
This dropper will infect the victim's computer with a clipper malware — detected by ESET as A Variant Of MSIL/Agent.B — after the malicious executable is launched.
Afterward, a scheduled task to execute the clipper on startup will be created in the background while the Pale Moon installer is launched in the foreground to distract the victim and camouflage the dropper's malicious activity.
While we were able to analyze the behavior of the malware dropper used by the Pale Moon attackers, the clipper probably includes malware analysis and VM detection features because we were not able to launch it and get more info on its capabilities.