loader gif

Archive server of Pale Moon web browser exploited for dropping malware

Archive server of Pale Moon web browser exploited for dropping malware
  • A Windows archive server of Pale Moon was breached and infected with a trojan variant on all the browser’s installer packages.
  • Upon discovery, Pale Moon M. C. Starver said he cut off access to the affected server to prevent the malware from spreading.

Pale Moon, an open-source web browser, housed malware in all its installers after attackers breached a Windows archive server belonging to the browser’s project. It was discovered that the installers had a Trojan known as ‘Win32/ClipBanker.DY’. According to M.C. Straver, creator of Pale Moon, attackers ran a script to infect all the executable installers of the browser with the Trojan. These executable files could allow access to other malware in the system.

Key highlights

  • It was reported that the infection on the installers happened on 27 December 2017. However, the incident came to light only on July 9 this year.
  • Straver noted the system logs that could provide more details on this breach were lost due to a separate data corruption incident.
  • Affected files include all executables of Pale Moon 27.6.2 and below. However, other files remained unaffected.
  • ‘Win32/ClipBanker.DY’ is a trojan that gains root access to the operating system and looks for sensitive text in the system in order to hijack payment-related transactions.

Worth noting

In a breach report, Straver mentions the executable files were infected quickly one after the other through the server. “Judging by the modified time stamps, the files were infected in rapid succession, increasing the file size by about 3 MB of malicious payload. They were infected locally on the system, most likely with a script performing direct file manipulations. The infected files were not uploaded remotely in their infected state,” wrote Straver.

loader gif