Threat actors are using a trojanized version of the popular Super Mario Bros. 3 game to spread crypto miners and information-stealing malware, Cyble Research & Intelligence Labs revealed in a blog post on June 23.
According to Cyble researchers, the Super Mario installer is bundled with different cryptojacking malware; a Monero (XMR) miner and the SupremeBot mining client. The latter doesn’t only mine cryptocurrency on targets’ devices but also loads an information-stealing malware known as Umbra Stealer.
Super Mario Bros. 3: Mario Forever is a remake of the classic Super Mario game. It was released in 2003 by Buziol Games and has racked up millions of downloads. The threat actors may have chosen this game because it has a large user base.
“This incident highlights another reason TAs [threat actors] utilize game installers as a delivery mechanism: the powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies,” Cyble researchers said.
Trojanized Super Mario Game
According to Cyble’s blog post, the 32-bit Super Mario installer contains the genuine Super Mario game application and two malicious files named “atom.exe” and “java.exe.” respectively.
“The NSIS installer file “Super-Mario-Bros.exe” has been tampered with and turned into a trojanized version of a Super Mario game installer,” Cyble researchers said.
When targets install the file, they get the legitimate Super Mario 3: Mario Forever game as well as the XMR miner and SupremeBot mining client. These two malicious apps are installed silently in the background without the users’ knowledge.
The XMR miner hogs CPU resources to generate digital coins for attackers. It also collects data from the targeted device, like the computer name, username, CPU, GPU, and other data. This data is relayed to the hacker responsible for the scheme.
Like the XMR miner, the SupremeBot mining client mines crypto and relays data about the targeted device to a command and control server. This sophisticated crypto miner also cleans its tracks and loads the Umbral Stealer malware.
The Umbral Stealer is a lightweight information-stealing malware. It gets admin privileges to run at startup and tampers with Windows Defender, so it’s excluded from scans. This malware can take screenshots and capture webcam images, collect cookies and passwords stored in browsers, collect files associated with crypto wallets, and obtain Telegram, Discord, Minecraft, and Roblox data.
The stolen data is transmitted to the attacker using Discord webhooks. Access to such data can allow cybercriminals to launch targeted attacks.
How to Protect Yourself From Trojanized Installers
“Threat Actors (TAs) use game installers to spread various malware because games have a wide user base, and users generally trust game installers as legitimate software,” Cyble researcher said. “The large file size and games’ complexity provide TAs opportunities to hide malware within them.”
Threat actors are increasingly tampering with legitimate software to spread malware. Check out our article on malware-infected games to learn about popular games that hackers often use to spread malware and how to protect your system.
We recommend verifying the developer of any app before you get it. Only download apps from official websites or app stores, and use antivirus software to protect your device.
We’ve tested dozens of antivirus and rated them. You’ll find our top picks for Microsoft Windows in our article on the best antivirus solutions for PC.
Follow us on Twitter for the latest cybersecurity news.
