Attackers have recently utilized a legitimate installer for the popular Super Mario Bros game to distribute malware across Windows machines. The Trojanized installer includes various malicious components such as a cryptocurrency miner and an info stealer, which pose a significant threat to businesses with remote or hybrid workers who use personal devices for work purposes.
The discovery was made by a team from Cyble Research and Intelligence Labs (CRIL), who found that an installer for Super Mario 3: Mario Forever— a well-known free Windows version of the Nintendo game— contains an XMR miner, a SupremeBot mining client, and the Umbral Stealer. This malicious software package could potentially compromise sensitive data and cause serious harm to unsuspecting users.
The installer file, labeled “Super-Mario-Bros.exe,” actually contains three executables. One of them is “super-mario-forever-v702e,” a genuine Super Mario game application. However, the other two executables, “java.exe” and “atom.exe,” deliver the malware payloads. Of particular concern is the Umbral Stealer, a lightweight stealer written in C# that has been available on GitHub since April. This stealer can extract credentials and other data from various browsers, capture screenshots and webcam images, and collect files associated with cryptocurrency wallets, among other things.
The deployment of malware through game installers is a common tactic employed by threat actors due to the large online gaming community and the trust users place in their legitimacy. By leveraging the popularity of Super Mario Bros., which has had a dedicated following since the 1980s, attackers can deceive unsuspecting users into downloading and executing the Trojanized installer. This method is especially effective as the franchise has experienced a resurgence in popularity recently, thanks to the release of new games and the anticipation surrounding the upcoming “The Super Mario Bros. Movie.”
The researchers emphasize that malware distributed through game installers can be monetized in various ways, such as stealing sensitive information and conducting ransomware attacks. Additionally, using game installers to mine cryptocurrency is a popular choice for threat actors, as the powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies.
Once the “Super-Mario-Bros.exe” file is executed, it drops the “super-mario-forever-v702e.exe” file in the target machine’s “%appdata%” directory and triggers the display of an Installation Wizard to continue the installation. Simultaneously, the installer discreetly deposits the files “java.exe” and “atom.exe” in the same directory, which then execute the malware payloads. The “java.exe” file functions as an XMR miner, utilizing the victim’s computing resources to mine Monero and sending valuable data to a command-and-control server. On the other hand, “atom.exe” serves as a SupremeBot mining client, managing the mining process and establishing a connection with the miner’s network.
Both the XMR miner and the SupremeBot mining client operate stealthily in the background, exploiting system resources and stealing data without the user’s knowledge. The SupremeBot mining client additionally communicates with a domain to verify the client’s registration and receive mining configurations from a command-and-control server. These malicious activities can severely impact system performance and compromise sensitive information.
To avoid falling victim to this trojanized Super Mario loader, users are strongly advised against downloading software from Warez/Torrent websites. This precaution is especially critical for individuals operating within corporate networks, as malware infections can easily spread throughout the enterprise. Organizations should also prioritize security awareness and training programs to educate employees on identifying phishing attacks, untrusted URLs, and suspicious email attachments.
In addition, updating information security and acceptable usage policies to prohibit the installation of cryptomining software on end-user systems is recommended. Blocking URLs associated with known torrent sites that distribute malware can also limit the propagation of malicious software. Lastly, monitoring endpoints and servers for unexpected spikes in CPU and RAM utilization can aid in detecting potential malware infections on corporate systems.
By adopting these preventive measures and encouraging responsible online behavior, individuals and organizations can significantly reduce the risk of falling victim to the Super Mario Bros malware campaign. Remaining vigilant and informed in the face of evolving cyber threats is essential for maintaining a secure online environment.