Compromised Delivery Pipeline
A routine certification review exposed a significant supply chain breach involving Hola Browser for Windows. During a validation test for the AppEsteem Windows Certified Application program, researchers discovered that the browser’s official delivery pipeline was distributing an unexpected binary alongside the legitimate installer. The file, named me.exe, appeared in the installation directory of some users running version 1.251.91.0 but was not part of the approved software package.
The inconsistency in its appearance, not present in every test run, indicated that the binary was not hard coded into the installer itself. Instead, it was being injected through the update distribution channel under specific conditions. This meant that while AppEsteem had certified a clean version of Hola Browser, some users received additional unauthorized software.
Impact and Response
Security analysts from Sophos X-Ops flagged the suspicious file as a Potentially Unwanted Application after detecting obfuscated code, a lack of code signing and timestamps, and memory write capabilities. While each characteristic alone might be innocuous, together they strongly suggested the presence of a cryptominer being silently dropped onto user systems without consent.
After the issue was escalated to Hola, the company confirmed that me.exe was never intended to be part of the installer. CEO Avi Raz Cohen acknowledged that internal monitoring had also detected the anomaly. Independent cybersecurity firm Sygnia conducted a forensic review that confirmed a supply chain compromise, where an attacker had breached the delivery pipeline to distribute the cryptominer to a subset of Windows users.
Source: Cyber Security News
