Home News Hackers injected older versions of Pale Moon browser with malware

Hackers injected older versions of Pale Moon browser with malware

Patchwork BADNEWS, APT31 threat group

Open source browser Pale Moon was breached, and hackers plugged malware into the browser. The hack which occurred in 2017 went undetected for nearly 18 months. It was by sheer accident that Pale Moon developers found the malware in the older versions of the browser which was stored in the “archive server,” meant for users to downgrade to an older version for stability.

“According to the date/time stamps of the infected files, this happened on 27 December 2017 at around 15:30. It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach,” Straver, lead developer of Pale Moon stated in a Forum about the time of the attack.

“A malicious party gained access to the at the time Windows-based archive server (archive.palemoon.org) which we’ve been renting from Frantech/BuyVM, and ran a script to selectively infect all archived Pale Moon .exe files stored on it (installers and portable self-extracting archives) with a variant of Win32/ClipBanker.DY (ESET designation). Running these infected executables will drop a trojan/backdoor on your system that would potentially allow further compromise to it,” he said, while adding, “The moment this was reported to me on 2019-07-09, I shut down access to the archive server to prevent any potential further spread of infected binaries and to start an investigation.”

According to the developers, all Pale Moon 27.6.2 and earlier versions were infected. But, older versions of the Basilisk web browsers were not affected. This was even despite the browsers being hosted on the same server.

Earlier, Web browser developer Mozilla announced that it has patched its Firefox browser’s vulnerability in response to a spear-phishing campaign targeting employees of cryptocurrency exchange Coinbase. The company has released the latest version of the Firefox browser and urged the users to update their browsers.

The Coinbase security team and a security researcher Samuel D. Gross from Google discovered a “Zero-day” vulnerability in the Mozilla Firefox browser, which can be used to launch a cyber-attack using JavaScript objects, ZDNet reported.

“The bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape in order to run code on an underlying operating system. However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals,” Gross said in a statement.