Hola Browser Compromised in Supply Chain Attack Delivering Cryptominer
Hola Browser for Windows Suffers Supply Chain Attack Distributing Monero Miner
Impact Scope
People Affected
0.1% of Hola Browser users
Industries Affected
Full Report
Executive Summary
A supply chain attack has compromised the Windows version of Hola Browser, a popular application with a large user base. The attack involved injecting a malicious cryptocurrency miner into the software's delivery pipeline, causing some users to unknowingly install the malware alongside the legitimate browser. The malware, identified as a Monero (XMR) miner based on XMRig, was designed to run stealthily when the infected computer was idle. Sophos and other security firms discovered the compromise during a routine certification test. Hola has confirmed the incident, stating it affected a small fraction of users (0.1%) and that they have since rebuilt their distribution infrastructure with enhanced security controls.
Threat Overview
This incident is a classic software supply chain attack, where attackers compromise the process of software creation or distribution to infect downstream users.
Technical Analysis
- Compromise: The attackers gained access to Hola's software distribution pipeline. The exact method is not disclosed, but this could involve compromised developer credentials, a vulnerable build server, or a compromised code signing certificate.
- Injection: The attackers injected a malicious, unsigned executable named
me.exeinto the installation package for Hola Browser version1.251.91.0. - Installation & Persistence: When a user installed or updated to the compromised version,
me.exewas also installed. The malware would then:- Copy itself to
C:\Program Files\Hola\app\HolaMonitorService.exe. - Create an auto-starting Windows service named
hola_monitor_svcto ensure persistence across reboots. - Add an exclusion for itself in Windows Defender to evade detection.
- Copy itself to
- Execution: The malware was a Monero (XMR) cryptominer. It was configured to only activate when the computer was idle to minimize performance impact and avoid arousing user suspicion. This practice is known as cryptojacking.
Impact Assessment
While Hola claims only 0.1% of users were affected and no user data was stolen, the impact of a supply chain attack is significant:
- Erosion of Trust: A supply chain attack damages the reputation of the software vendor. Users trust that software downloaded from an official source is safe, and this incident violates that trust.
- Resource Hijacking: The cryptominer consumes the victim's CPU cycles and electricity, leading to higher energy bills, reduced system performance, and increased wear and tear on hardware.
- Potential for Further Compromise: While this payload was 'only' a cryptominer, the attackers had the ability to distribute any malware they chose, including spyware, ransomware, or banking trojans. The presence of the miner indicates a foothold that could have been used for more destructive purposes.
IOCs — Directly from Articles
me.exeHolaMonitorService.exehola_monitor_svcCyber Observables — Hunting Hints
Security teams should hunt for signs of cryptojacking:
HolaMonitorService.exeHolaMonitorService.exeDetection & Response
- Behavioral Monitoring: Use EDR solutions to monitor for signs of cryptojacking, such as sustained high CPU usage from an unsigned or unusual process. This is an application of D3-PA: Process Analysis.
- Software Inventory: Maintain a software inventory and use it to identify all machines running the compromised version of Hola Browser.
- Threat Intelligence: Ingest IOCs like the file names and service names associated with this attack into your SIEM and EDR to hunt for compromised systems.
Mitigation
- M1045 - Code Signing: For software vendors like Hola, enforcing strict code signing on all binaries in the build and distribution pipeline is critical. The fact that the malicious file was unsigned was a key finding during the investigation.
- M1038 - Execution Prevention: On the user side, application control policies that prevent the execution of unsigned executables can provide a layer of protection against such attacks.
- Vendor Security Assessment: Organizations should consider the security practices of their software vendors as part of their procurement and risk management process.
- Remove/Update Software: Users of Hola Browser for Windows should ensure they have updated to the latest version or consider uninstalling the software if it is not essential.
Timeline of Events
MITRE ATT&CK Mitigations
Code Signing
For vendors, strictly enforcing that all distributed binaries are code-signed helps prevent the injection of malicious unsigned files.
Vulnerability Scanning
For vendors, regularly scanning build and distribution servers for vulnerabilities is crucial to prevent the initial compromise that enables a supply chain attack.
Antivirus/Antimalware
For users, up-to-date antivirus and EDR solutions can detect known cryptominers and their behaviors, such as high CPU usage.
D3FEND Defensive Countermeasures
This supply chain attack succeeded because a malicious binary was added to a legitimate software package. For Hola, a key mitigation is to implement stringent verification throughout the build and release pipeline. This means automatically verifying the digital signature and hash of every single file included in the final installer. Any unsigned binary, like the me.exe file in this case, or any binary with a mismatched hash, should automatically fail the build process. This automated verification ensures that only approved and signed code makes it into the final product that is shipped to users, making it significantly harder for an attacker to inject malicious code.
On the victim's side, detecting cryptojacking relies on behavioral analysis. An EDR solution should be configured to monitor for processes exhibiting cryptominer-like behavior. This includes a process that has low or no network activity for a long time and then suddenly shows sustained high CPU usage when the user is idle (i.e., no keyboard or mouse input). In this specific case, an alert could be triggered for the process HolaMonitorService.exe consuming >80% CPU for more than 5 minutes while the machine is idle. This behavioral approach is effective at detecting cryptojacking regardless of the specific malware family, as they all share the common goal of hijacking CPU resources.
Timeline of Events
Security researchers report the discovery of a cryptominer being distributed by Hola Browser.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.