For months he quietly did his job - until someone accidentally asked an extra question.
Checking the certified version of Hola Browser for Windows revealed an unexpected component of me.exe, which was installed with the browser and, according to the Sophos X-Ops analysis, worked as a cryptocurrency miner. The file was not included in the list of verified components and appeared due to the compromising supply chain.
The suspicious file was found during the periodic testing of Hola Browser version 1.251.91.0 in the AppEsteem certification program. Previously, the installer was checked and did not show unwanted behavior, but in some repeated runs, the C:\Program Files\Hola\me.exe file C:\Program files\me.exe was recorded on the drive.
The component did not have a digital signature and a time stamp, contained a confusing code and could record the data in memory. At the same time, me.exe did not appear at every installation. Such instability pointed to the problem not in a fixed installation package, but in the service of the renewal delivery channel or the distribution infrastructure.
The analysis showed signs of a miner based on XMRig. The me.exe component added an exception to Windows Defender, and when running with administrator rights, he copied himself under the name HolaMonitorService.exe. He then created the hola_monitor_svc service, which automatically ran and used computer resources during downtime.
After notification through AppEsteem, Hola confirmed that me.exe should not have accessed users’ devices. According to the results of an internal audit and investigation, the incident affected about 0.1% of the audience. Hola said that the attackers did not get access to the user data and did not steal them.
Hola stopped the affected delivery channel, removed the unwanted component from infrastructure and affected systems, and then completely rebuilt the process of distributing the updates. The company also strengthened the verification of digital signatures, restricted access to infrastructure and introduced constant monitoring.
History shows that the safety of programs depends not only on the quality of the code, but also on the reliability of the entire infrastructure around it. Even a product with a good reputation and checks can unexpectedly get an extra component if someone violates the integrity of the update delivery process.
Checking the certified version of Hola Browser for Windows revealed an unexpected component of me.exe, which was installed with the browser and, according to the Sophos X-Ops analysis, worked as a cryptocurrency miner. The file was not included in the list of verified components and appeared due to the compromising supply chain.
The suspicious file was found during the periodic testing of Hola Browser version 1.251.91.0 in the AppEsteem certification program. Previously, the installer was checked and did not show unwanted behavior, but in some repeated runs, the C:\Program Files\Hola\me.exe file C:\Program files\me.exe was recorded on the drive.
The component did not have a digital signature and a time stamp, contained a confusing code and could record the data in memory. At the same time, me.exe did not appear at every installation. Such instability pointed to the problem not in a fixed installation package, but in the service of the renewal delivery channel or the distribution infrastructure.
The analysis showed signs of a miner based on XMRig. The me.exe component added an exception to Windows Defender, and when running with administrator rights, he copied himself under the name HolaMonitorService.exe. He then created the hola_monitor_svc service, which automatically ran and used computer resources during downtime.
After notification through AppEsteem, Hola confirmed that me.exe should not have accessed users’ devices. According to the results of an internal audit and investigation, the incident affected about 0.1% of the audience. Hola said that the attackers did not get access to the user data and did not steal them.
Hola stopped the affected delivery channel, removed the unwanted component from infrastructure and affected systems, and then completely rebuilt the process of distributing the updates. The company also strengthened the verification of digital signatures, restricted access to infrastructure and introduced constant monitoring.
History shows that the safety of programs depends not only on the quality of the code, but also on the reliability of the entire infrastructure around it. Even a product with a good reputation and checks can unexpectedly get an extra component if someone violates the integrity of the update delivery process.
