Trojanized Super Mario Installer Goes After Gamer Data

Attackers have turned a legitimate installer for a popular Super Mario Bros game into a Trojan that spreads various malware infections — including a cryptocurrency miner and info stealer — across Windows machines.

A team from Cyble Research and Intelligence Labs (CRIL) have discovered an installer for Super Mario 3: Mario Forever — a perfectly legitimate, free Windows version of the enormously popular Nintendo game — that also includes an XMR miner, a SupremeBot mining client, and the open-source Umbral Stealer, they revealed in a blog post published June 23. The malware bomb could be an issue for the many businesses with remote or hybrid workers who use personal devices for work purposes and vice versa.

The installer file — an NSIS installer file dubbed "Super-Mario-Bros.exe" — actually contains three executables—"super-mario-forever-v702e," which itself is "a genuine and safe Super Mario game application," as well as two malicious executables — "java.exe" and "atom.exe" — that deliver the malware, they said. 

Perhaps the most concerning for businesses is the Umbral Stealer — a lightweight stealer written in C# that's been available on GitHub since April — which it loads into the process memory, the researchers said. Umbral Stealer lifts credential and other data from various browsers — including Brave, Chrome, Opera, Edge, and Vivaldi — and also captures screenshots and webcam images; steals Telegram session files and Discord tokens; acquires Roblox cookies and Minecraft session files; and collects files associated with cryptocurrency wallets. The data that the stealer collects is saved to appropriate directories within the temporary folder and eventually is transmitted to the attacker using Discord webhooks, the researchers added.

Threat actors often tuck malware into game installers because of the substantial size of the online gaming community and the inherent trust gamers have that legitimate game installers are safe, the researchers said. Using Super Mario Bros. — a franchise that's been around since the 1980s and already has millions of followers — to deliver malware makes perfect sense then, especially as the franchise has experienced a recent resurgence in popularity of lately thanks to the release of new games and 2023's "The Super Mario Bros. Movie."

"Malware distributed through game installers can be monetized through activities like stealing sensitive information, conducting ransomware attacks, and more," the researchers explained in the post.

Moreover, using game installers to mine crypto is an especially popular tactic with threat actors because "the powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies," they said.

Surprise Super Mario Mining Malware Package

Once a user executes the "Super-Mario-Bros.exe" file, it drops the "super-mario-forever-v702e.exe" file in the target machine's "%appdata%" directory and initiates execution, which in turn triggers the display of an Installation Wizard to continue to install the program.

Meanwhile, in the background, the NSIS installer discreetly drops the files "java.exe" and "atom.exe" in addition to the Super Mario Forever game within the %appdata% directory, files that the installer proceeds to execute, the researchers said. The "java.exe" file is actually an XMR miner executable designed to mine the Monero cryptocurrency, while "atom.exe" delivers Umbral Stealer and serves as a SupremeBot mining client, enabling the miner's network connection, receiving mining tasks, and effectively managing the entire mining process, they said.

The XMR miner operates stealthily in the background without the victim knowing, taking up computing resources to mine Monero as well as stealing valuable data from the victim's system, including computer name, username, GPU, CPU, and other details, the researchers said. It then transmits the data to a command-and-control (C2) server.

The SupremeBot mining client also performs several nefarious activities. It starts with a POST request to the domain "hxxp://silentlegion[.]duckdns[.]org/gate/update[.]php" and includes the victim system's CPU and GPU versions as unique identifiers to verify if the client is registered. If the unique identifier is not found, the client sends a POST request to register the client by adding the unique identifier.

Once SupremeBot establishes a client connection, it receives an XMRig CPU and GPU mining configuration from the command-and-control (C2) server, then sends another POST request to "hxxp://silentlegion[.]duckdns[.]org/gate/config[.]php," containing the miner configuration specific to the victim's machine.

Avoiding & Mitigating a Super Mario Cyberattack

The most common-sense way to avoid being compromised by the trojanized Super Mario loader is not to download software from Warez/Torrent websites, the researchers said. This is especially important for users working on corporate networks, in which case a malware infection that occurs from an infected game installer can spread throughout the enterprise.

To reinforce the aforementioned guidance, organizations should provide security awareness and training to employees so they refrain from opening untrusted links and email attachments without first verifying their authenticity, and learn how to spot phishing attacks and untrusted URLs contained within those attacks, they said.

Organizations should also update their overall information security and acceptable usage policies to prohibit downloading and installing cryptomining software on end-user systems, the researchers advised.

Blocking URLs from known torrent sites that can be used to spread the malware, and monitoring endpoints and servers for unexpected spikes in CPU and RAM utilization that signal potential malware infection, can also mitigate the propagation of accidentally downloaded malware on corporate systems, the researchers added.