Malware Infection for Pale Moon v27.6.2 and earlier if downloaded from Pale Moon Archive.

Discussions and Tech Support specific to the iMacros Firefox add-on.
Forum rules
Before asking a question or reporting an issue:
1. Please review the list of FAQ's.
2. Use the search box (at the top of each forum page) to see if a similar problem or question has already been addressed.
3. Try searching the iMacros Wiki - it contains the complete iMacros reference as well as plenty of samples and tutorials.
4. We can respond much faster to your posts if you include the following information: CLICK HERE FOR IMPORTANT INFORMATION TO INCLUDE IN YOUR POST
Post Reply
chivracq
Posts: 9371
Joined: Sat Apr 13, 2013 1:07 pm
Location: Amsterdam (NL)

Malware Infection for Pale Moon v27.6.2 and earlier if downloaded from Pale Moon Archive.

Post by chivracq » Wed Jul 10, 2019 10:06 pm

Oops...!! Pale Moon Users, be aware that if you downloaded a "previous" Version of PM for any Version v27.6.2 and earlier from the Pale Moon Archive in the Timespan [2017-12-27 - 2019-07-09], that you probably downloaded (and installed) a with Malware infected "Version" of the Pale Moon Setup Exe and Portable Versions. (... => containing some OS Clipboard Listener "waiting" for some Bitcoin Hash to be copied&pasted...)

This only applies to "previous" Versions at the time that PM was downloaded from the Pale Moon Archive, and not if you downloaded at that time the current PM Version. 8)

More Info:
- Pale Moon says hackers added malware to older browser versions
The hack went undetected for more than 18 months, according to a breach notice published today by M.C. Straver, the Pale Moon lead developer.

[...]

Going after cryptocurrency users
Users who downloaded files from the archive server are advised to scan their systems or wipe and reinstalls their workstations, to be on the safe side.

The Win32/ClipBanker.DY trojan is a what security researchers call a clipboard hijacker. After it infects victims it sits in an operating system's background, watching the OS clipboard. This particular variant would watch for text snippets that looked like Bitcoin addresses, and would replace them with a pre-configured address, in the hopes of hijacking transactions towards a hacker's own wallet.

The trojan had been previously analyzed in an ESET report dated March 2018. Other versions of this same malware family also had support for replacing Monero addresses.
... => Which makes me wondering if the Trojan has been known and analyzed already in March 2018, why the Infection did not get detected on Users' PC's shorty after, and quickly linked back to the PM Archive...? :o
- (F)CI(M) = (Full) Config Info (Missing): iMacros + Browser + OS (+ all 3 Versions + 'Free'/'PE').
- I don't even read the Qt if that (required) Info is not mentioned...!
- Script & URL help a lot for more "educated" Help...
User avatar
thecoder2012
Posts: 405
Joined: Sat Aug 15, 2015 5:14 pm
Location: Internet
Contact:

Re: Malware Infection for Pale Moon v27.6.2 and earlier if downloaded from Pale Moon Archive.

Post by thecoder2012 » Thu Jul 11, 2019 5:58 am

:shock: :shock: :shock:
I have never used the archive or cnet for downloads in the past. Only newest official version or portaleapps.com (clean?).
1. Official(!) sources Data breach post-mortem and archive.palemoon.org not accessible because zdnet is only a second source.
2. "How to clean an infected system" information: Dangerous malware stealing bitcoin hosted on Download.com for years

@chivracq
Thanks for this report.
Join 9kw.eu Captcha Service now and let your iMacros continue downloads and scripts while you sleep. - Custom iMacros? Contact me! :idea:
Post Reply