Researchers observed a threat actor spreading a Trojanized Super Mario Bros game installer to deliver multiple malware.
Researchers at Cyble Research and Intelligence Labs (CRIL) discovered a trojanized Super Mario Bros game installer for Windows used to deliver several malware, including an XMR miner, SupremeBot mining client, and open-source Umbral stealer.
Threat actors have bundled super-mario-forever-v702e’s legitimate installation files with malicious code. Researchers point out that the reason attackers target gamers is that they often use powerful gaming hardware that excels at cryptocurrency mining.
Mario Forever is a clone of the original Super Mario that attempts to recreate the classic Nintendo game very faithfully.
The threat actor has manipulated the NSIS installer file, “Super-Mario-Bros.exe”, and the resulting executable contains three separate executables. “Super Mario Forever v702e.exe,” It is a legitimate Super Mario game application along with a malicious executable file named. “java.exe” and “atom.exe,” as shown in the picture below.
If you run the “Super-Mario-Bros.exe” file “Super Mario Forever v702e.exe” can be run on %AppData% Create a directory and run While executing the file, the installation wizard appears and proceeds to install the “super-mario-forever-v7.02” program.
After successfully installing the software, it launches the user interface to play the Super Mario Forever game. However, the Monero (XMR) miner and SupremeBot mining client run in the background.
When “java.exe” is executed, the malware establishes a connection with the mining server “gulf”.[.]moneru ocean[.]Streams for conducting cryptocurrency mining activities”. report Published by Cyble. “At the same time, the malware collects sensitive data from the victim’s system, including computer name, username, GPU, CPU and other relevant details. This sensitive information is sent to the command and control (C&C) server via the following URL API. “hxxp://shadowlegion[.]duckdns[.]org/nam/api/endpoint[.]””
When run, SupremeBot (“atom.exe”) creates a clone of itself and places a copy in a hidden folder in the game’s installation directory.
Then “atom.exe” Initiates the execution of a scheduled job command that creates a new scheduled job item that runs every 15 minutes with no end date.
Then the executable file “atom.exe” process and remove the related files from the system. The deleted file establishes a connection to the C&C server, transmits system information, registers the client, and receives configuration for the Monero miner.
In the final phase of the attack, “atom.exe” Search for named information stealing executables. “wime.exe”, at C2. The executable unpacks itself and loads the open source malware. Umbral Stealer to process memory.
This malware allows:
- capture screenshot
- Retrieve browser passwords and cookies
- Webcam image capture
- Get Telegram Session File and Discord Token
- Acquire Roblox Cookies and Minecraft Session Files
- Collects files related to cryptocurrency wallets.
“The broad and interconnected user base within the gaming community serves as an attractive target for TAs aiming to exploit vulnerabilities and conduct a variety of malicious activities.” finish the report. “This coin miner malware campaign targets gamers and individuals using high-performance computing systems for gaming purposes utilizing the game Super Mario Forever. The malware also deploys a stealer component to illegally obtain sensitive information from victims’ systems for additional financial gain. The combination of mining and thievery activities results in monetary loss, significant degradation of the victim’s system performance, and depletion of valuable system resources.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(security work – hacking, gambling)
share