You do surprise me.exe: An unexpected executable in Hola Browser

What Happened

Security researchers found a hidden cryptocurrency miner bundled inside the installation files for Hola Browser. This malicious program was secretly installed on a small percentage of users' computers and ran in the background to mine cryptocurrency when the computer was idle. The issue was caused by a compromise in the software's delivery system, but no user data was stolen. The makers of Hola Browser have since fixed the issue and secured their software delivery pipeline. Users should ensure they are running the latest, clean version of the software and run an antivirus scan to remove any lingering malicious files.

Key Takeaways

• An undeclared XMRig-based crypto-miner (me.exe) was bundled with Hola Browser version 1.251.91.0 due to a supply chain compromise.
• The malicious binary adds a Windows Defender exclusion to evade detection.
• The malware establishes persistence by copying itself to HolaMonitorService.exe and creating an autostart service named 'hola_monitor_svc'.
• Hola has remediated the issue by rebuilding their distribution pipeline and implementing advanced code-signing verification.

Affected Systems

• Windows systems running Hola Browser version 1.251.91.0

Attack Chain

The attack begins with the execution of a compromised Hola Browser installer, which drops an undeclared, unsigned binary named me.exe into the application directory. Upon execution with administrative privileges, me.exe adds a Windows Defender exclusion and copies itself to HolaMonitorService.exe. It then establishes persistence by creating an autostart service named hola_monitor_svc that executes an XMRig-based crypto-miner when the host system is idle.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Sophos

Sophos detects the malicious payload as Troj/GoMiner-B. No specific hunting queries or rules were provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should easily detect the creation of a new service (hola_monitor_svc), modifications to Windows Defender exclusions, and the dropping of unsigned binaries in the Program Files directory. Network Visibility: Medium — Network monitoring could detect outbound connections to known crypto-mining pools, though specific pool IOCs were not provided in the article. Detection Difficulty: Easy — The malware creates a highly specific service name (hola_monitor_svc) and drops files with static names in predictable directories.

Required Log Sources

• Windows System Event Log (Event ID 7045 - Service Creation)
• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation (Sysmon Event ID 11)

Hunting Hypotheses

Control Gaps

• Supply chain validation checks prior to software deployment

Key Behavioral Indicators

• Unsigned binaries executing from C:\Program Files\Hola\
• Process execution containing strings related to XMRig such as 'm/cmd/xmrig-idle'

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Search endpoints for the presence of me.exe or HolaMonitorService.exe within the C:\Program Files\Hola\ directory.
• Check for and remove the hola_monitor_svc service if found on any systems.

Infrastructure Hardening

• Consider implementing application control or AppLocker to prevent the execution of unsigned binaries from application directories.
• Evaluate whether endpoint protection policies are configured to prevent unauthorized modifications to Windows Defender exclusions.

User Protection

• If Hola Browser is used within the environment, ensure it is updated to a clean version following the vendor's pipeline remediation.
• Consider restricting administrative privileges to prevent unauthorized service creation by user-installed applications.

Security Awareness

• Remind users of the risks associated with installing third-party browser extensions or alternative browsers without IT approval.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1569.002 - System Services: Service Execution
• T1543.003 - Create or Modify System Process: Windows Service
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1496 - Resource Hijacking

Additional IOCs

• File Hashes:
  • 174086534a2de730058465a4a4e231ce3778ab17ebebfd7f62b3bf9750bc7bdb (sha256) - SHA256 hash of the compromised Hola Browser installer.
  • 8046735d354814bf9ef9a053cb9cad8cfec261f2 (sha1) - SHA1 hash of the compromised Hola Browser installer.
  • 8462f61e68b37d220eab2462b3cbcec8 (md5) - MD5 hash of the compromised Hola Browser installer.
• Other:
  • hola_monitor_svc - Malicious Windows service created by the crypto-miner for persistence.