Hola Browser for Windows hijacked to install cryptominer
▼ Summary
– The Windows version of Hola Browser was compromised in a supply chain attack that installed an undeclared cryptocurrency miner executable.
– The compromise was discovered during AppEsteem certification checks, involving Sophos and other cybersecurity firms.
– The malicious file, named ‘me.exe,’ was uncertified, unsigned, obfuscated, and identified as a Monero cryptocurrency miner.
– The miner adds a Windows Defender exclusion, copies itself as ‘HolaMonitorService.exe,’ creates a service called ‘hola_monitor_svc,’ and runs when the computer is idle.
– Hola confirmed the supply chain compromise, stated about 0.1% of users were affected with no evidence of data theft, and said it rebuilt its distribution pipeline with new security measures.
The Windows version of Hola Browser has been compromised in a supply chain attack, with researchers identifying an unauthorized executable that functions as a cryptocurrency miner. The incident came to light during routine certification checks for AppEsteem, a program the browser had previously passed.
Hola, an Israeli company best known for its Hola VPN service, routes internet traffic through other users’ devices or paid proxy infrastructure to bypass geographic restrictions. Its browser is built on Chromium and integrates VPN and proxy capabilities directly. The company has faced past controversy over opaque traffic handling tied to its commercial Luminati Networks service, which turned free users into proxies.
During recent integrity evaluations, Sophos and other cybersecurity firms involved in the certification process discovered an undeclared file named ‘me.exe’ installed in some cases under C:\Program Files\Hola\. This file was uncertified, lacked a timestamp, was unsigned, contained obfuscated code, and could write to memory. Upon deeper examination, Sophos identified signs that the binary was a Monero cryptocurrency miner, including strings pointing to its true purpose.
The miner adds a Windows Defender exclusion rule, copies itself to Program Files as ‘HolaMonitorService.exe,’ creates an auto-starting Windows service called ‘holamonitorsvc,’ and activates when the computer is idle.
Hola acknowledged the breach after being notified by AppEsteem, confirming a supply chain compromise that was also independently detected by cybersecurity firm Sygnia. The company states that only about 0.1% of its users were affected, with no evidence of user data access, theft, or compromise. “We have since completely rebuilt our distribution pipeline, implemented advanced code-signing verification, and introduced tighter access controls and continuous monitoring across our infrastructure,” said Hola CEO Avi Raz Cohen. “These measures are designed to ensure that only declared, certified, and signed components are ever delivered to our users.”
BleepingComputer has reached out to Hola for more details on how the breach occurred, who the perpetrators are, and whether other platforms were affected, but has not yet received a response.
(Source: BleepingComputer)
