Skip to content

Hola Browser for Windows Compromised in Supply Chain Attack to Deliver Cryptocurrency Miner

The Windows version of the Hola Browser has been compromised in a supply chain attack that delivered an undeclared executable identified by researchers as a cryptocurrency miner.

Hola is an Israeli company best known for its Hola VPN service, which allows users to route internet traffic through other users’ devices or paid proxy infrastructure. The company and its products have attracted controversy in the past due to opaque traffic-handling practices related to the operation of a commercial service called Luminati Networks.

The compromise was discovered by Sophos and other cybersecurity companies during periodic certification checks as part of Hola Browser’s AppEsteem certification testing procedure, which it had previously passed. The evaluation process involves app integrity checks to ensure that software meets certain standards.

During these checks, researchers found an undeclared executable named ‘me.exe’ being installed in some cases under C:\Program Files\Hola\. This file was not certified, had no timestamp, wasn’t digitally signed, and contained obfuscated code. The binary also had the ability to write to memory.

On closer examination by Sophos, signs were found that the binary was a Monero cryptocurrency miner, including strings pointing to its true nature. The miner adds a Windows Defender exclusion rule, copies itself to Program Files as ‘HolaMonitorService.exe,’ creates an auto-starting Windows service named ‘hola_monitor_svc,’ and runs when the computer is idle.

Hola was informed of the findings by AppEsteem and confirmed that they had suffered a supply chain compromise. The software vendor claims that only about 0.1% of its users were affected, with no evidence of user data access, theft, or compromise.

‘We have since completely rebuilt our distribution pipeline, implemented advanced code-signing verification, and introduced tighter access controls and continuous monitoring across our infrastructure,’ said Hola’s CEO, Avi Raz Cohen. ‘These measures are designed to ensure that only declared, certified, and signed components are ever delivered to our users.’

BleepingComputer has contacted Hola to request more information about how the breach occurred, who the perpetrators are, and whether clients on other platforms were also affected.

**Supply Chain Attack Details:

* The compromised executable was named ‘me.exe’ and located under C:\Program Files\Hola\.

* It had no timestamp, wasn’t digitally signed, contained obfuscated code, and could write to memory.

* Signs pointed to it being a Monero cryptocurrency miner, including strings indicating its true nature.

* The miner added a Windows Defender exclusion rule, copied itself to Program Files as ‘HolaMonitorService.exe,’ created an auto-starting Windows service named ‘hola_monitor_svc,’ and ran when the computer was idle.

**Impact:

* Only about 0.1% of Hola Browser users were affected by the supply chain attack.

* There is no evidence of user data access, theft, or compromise.

**Response from Hola:

* The company has rebuilt its distribution pipeline and implemented advanced code-signing verification.

* Tighter access controls and continuous monitoring have been introduced across their infrastructure.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *