The Pale Moon team announced on July 10, 2019 that its archive server was hacked and used to spread malware.

The team detected the breach on July 9, 2019 and shut down the archive server immediately to prevent further infections with malware. An analysis of the issue revealed that the infection most likely happened on December 27, 2017.

Update: Further analysis into the issue by the Pale Moon team revealed that the breach was likely more recent than initially assumed. Estimates suggest that the servers were breached between April and June 2019, and not December 2017. You can read the announcement here. End

The Archive server is used to serve older versions of Pale Moon; the browser's main distribution channels were not affected by the breach.

This never affected any of the main distribution channels of Pale Moon, and considering archived versions would only be updated when the next release cycle would happen, at no time any current versions, no matter where they were retrieved from, would be infected.

Additionally, the hacker infected only executable files of the browser and not files inside archives. Other programs hosted on the server, the web browser Basilisk, were not affected either.

According to the post mortem, the issue affected all archived executable files of Pale Moon 27.6.2 and earlier.

The team's investigation in the matter was severely impacted by another incident on May 26, 2019 that caused "widespread data corruption" on the archive server to the point where booting or data transfers were not possible anymore.

The hacker managed to sneak a script on the server that would run locally to infect the executable files on the server. The infection increased the size of the executable by about three Megabytes and planted a variant of Win32/ClipBanker.DY inside the executable.

Running these infected executables will drop a trojan/backdoor on your system that would potentially allow further compromise to it.

Bleeping Computer notes that the malware creates a scheduled task on the system in the background while Pale Moon's installer runs in the foreground.

Users who never downloaded Pale Moon from the Archive Server (archive.palemoon.org) are "almost certainly in the clear" according to Pale Moon's announcement.

The team recommends that users who downloaded the browser from the official site or archive site run a full virus scan on their systems to make sure they are clean. The infection signature is "known to all major antivirus vendors" according to the announcement; programs like Avira Antivirus, Avast Free Antivirus, BitDefender Free, or Kaspersky Free Antivirus.

There is also the option to check signature files or the digital signature of Pale Moon's executable. The digital signature is not available for all releases though so that its absence does not infer that the file is infected. The existence of a digital signature on the other hand is a clear indicator that the file is clean.

Archived versions of Pale Moon are accessible again on archive.palemoon.org. Dates indicate that directories were created on July 10, 2019.

Closing words

Pale Moon's main distribution channel was not affected by the hack which means that most users were not affected by the issue. The team has not released any archive server statistics and it is unclear how many users were potentially affected by the breach.

Pale Moon users should run a full virus scan on the system to make sure that their devices are not infected.

Summary Article Name Pale Moon's Archive Server hacked and used to spread malware Description The Pale Moon team announced on July 10, 2019 that its archive server was hacked and used to spread malware. Author Martin Brinkmann Publisher Ghacks Technology News Logo

Advertisement