Hackers Infect Pale Moon Archive Server With a Malware Dropper

The Pale Moon web browser team announced today that their Windows archive servers were breached and the hackers infected all archived installers of Pale Moon 27.6.2 and below with a malware dropper on December 27, 2017.

According to the Pale Moon data breach post-mortem, the browser's main distribution channels were in no way affected :

This never affected any of the main distribution channels of Pale Moon, and considering archived versions would only be updated when the next release cycle would happen, at no time any current versions, no matter where they were retrieved from, would be infected.

Of note: only the .exe files on the server at the top level were affected. Files inside the archives (extract-able with 7-zip from the installers/portable versions or files inside the zip archives) were not modified.

A script was used by the attackers to inject the .exe files stored on the servers with a Win32/ClipBanker.DY Trojan variant so that users who would subsequently download Pale Moon browser installers and self-extracting archives would be infected with malware.

The Pale Moon team found out about the security breach on July 9 and it immediately severed all connections to the affected server (i.e., archive.palemoon.org) to stop the malware from further spreading to other users.

The exact infection date was deduced from the infected files' time stamps:

According to the date/time stamps of the infected files, this happened on 27 December 2017 at around 15:30. It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach.

The Pale Moon team was unable to gather more info on the security incident because of a separate incident (possibly related to this breach) took down the archive server on May 26.

That incident led to "widespread data corruption and being unable to boot or retrieve data from it. Unfortunately, that also means that system logs providing exact details of the breach were lost at that time."

As shown by the timestamps of the infected files, the attackers infected them locally using an automated process that injected a malicious payload of roughly 3MB into each executable file stored on the compromised server.

While the exact method used by the hackers to infiltrate the Pale Moon server is not yet known, the infection was possible via one of the following alternatives:

• Local access to the system (physical access), OR

• Access to the VM from a different VM on the same node (insufficient separation), OR

• Access to the VM from a different VM on the same local subnet through and insecure/hijacked remote desktop session (insufficient separation), OR

• Access to the VM file system via administrative access to the O.S. (potentially after brute-forcing credentials) over the network (e.g. SAMBA/WFS) (insufficient VMnet separation/not blocking FS ports in the node/DC), OR

• Access to the VM through remote access via the VM control panel (insecure control panel of the VM provider), OR

• An issue with the provided Windows Server image (which was pre-activated/volume licensed by the VM provider).

Users who have never downloaded installers are "almost certainly in the clear" as explained by the development team in the Pale Moon breach post-mortem .

To make sure, they can go through the steps for checking if the installers they downloaded were tampered with listed HERE , while those who downloaded an infected file should "do a full scan and clean of your system with reputable antivirus software to clean this malware."

The malware dropper used in the attack

While a Win32/ClipBanker.DY variant analyzed by ESET researchers back in March 2018 would automatically replace cryptocurrency wallets in its victims' clipboard, the  ClipBanker.DY variant used to infect the Pale Moon archived installers is indeed a malware dropper as disclosed in the breach post-mortem.

Malware dropper behavior

This dropper will infect the victim's computer with a clipper malware — detected by ESET as A Variant Of MSIL/Agent.B — after the malicious executable is launched.

Afterward, a scheduled task to execute the clipper on startup will be created in the background while the Pale Moon installer is launched in the foreground to distract the victim and camouflage the dropper's malicious activity.

The scheduled task being created

While we were able to analyze the behavior of the malware dropper used by the Pale Moon attackers, the clipper probably includes malware analysis and VM detection features because we were not able to launch it and get more info on its capabilities.