You do surprise me.exe: Unexpected Crypto-Miner in Hola Browser

Sophos X-Ops recently uncovered a supply chain compromise affecting Hola Browser (version 1.251.91.0) during an AppEsteem certification test. An undeclared and unsigned executable, me.exe, was found bundled with the browser installer and subsequently dropped to C:\Program Files\Hola\. Analysis revealed me.exe to be a crypto-miner, identified by Sophos as Troj/GoMiner-B, which included characteristics such as obfuscated code and memory-write capabilities. This compromise, affecting approximately 0.1% of Hola Browser users, was attributed to anomalous activity within Hola's update distribution pipeline. Hola has since rectified the issue, rebuilt its pipeline, and implemented enhanced security measures to prevent future occurrences, with an independent forensic investigation corroborating the supply chain compromise.

Attack Chain

1. Initial Access / Delivery: Users download Hola Browser version 1.251.91.0, which, due to a supply chain compromise in Hola's distribution pipeline, includes the undeclared crypto-miner me.exe.
2. Execution: During the browser installation or initial launch, me.exe is dropped onto the system, typically in C:\Program Files\Hola\.
3. Persistence Setup: me.exe copies itself to C:\Program Files\Hola\HolaMonitorService.exe to masquerade as a legitimate component.
4. Persistence / Service Creation: The HolaMonitorService.exe binary creates a new Windows service named hola_monitor_svc, configured to automatically start and execute when the host is idle.
5. Defense Evasion: The crypto-miner performs actions to create exclusions for itself within Windows Defender, aiming to prevent detection and termination.
6. Resource Hijacking: Once persistent and active, the hola_monitor_svc service (running HolaMonitorService.exe), an XMRig-based crypto-miner, begins mining cryptocurrency during periods of system idleness.
7. Impact: The crypto-mining activity consumes significant CPU and GPU resources, leading to degraded system performance, increased power consumption, and potentially reduced hardware lifespan for the victim.

Impact

The primary impact of this compromise was resource hijacking on affected user systems. The me.exe crypto-miner, identified as Troj/GoMiner-B, consumed CPU and GPU resources to mine cryptocurrency, leading to severe degradation in system performance, increased electricity consumption, and potential hardware wear-and-tear for the estimated 0.1% of affected users. Beyond direct system performance, the supply chain compromise eroded user trust in a widely used application and highlighted the risks inherent in software distribution channels. Although Hola reported no user data was accessed or exfiltrated, the presence of an unauthorized executable posed a significant security risk, allowing an attacker to run arbitrary code on user machines.

Recommendation

• Deploy the Sigma rules provided in this brief to your SIEM for detection of me.exe execution, HolaMonitorService.exe creation, and hola_monitor_svc service registration.
• Enable Sysmon event logging for process_creation (Event ID 1), file_creation (Event ID 11), and registry_set (Event ID 13) to ensure telemetry for the rules in this brief.
• Review systems for the presence of me.exe (SHA256: e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721) or HolaMonitorService.exe in C:\Program Files\Hola\.
• Ensure Hola Browser installations are updated to versions released after the fix to prevent exposure to the compromised distribution pipeline.