Cyber Blog

A Windows malware is being distributed through a modified installer of the popular Super Mario 3: Mario Forever game, infecting unsuspecting players with multiple malware infections.

Super Mario 3: Mario Forever, developed by Buziol Games and released in 2003, is a well-known free-to-play remake of the classic Nintendo game for the Windows platform. It gained immense popularity among millions of players for its updated graphics, modernized style, and sound while retaining the mechanics of the original Mario series.

However, researchers from Cyble have discovered that threat actors are distributing a trojanized version of the Super Mario 3: Mario Forever installer. This modified installer, distributed as a self-extracting archive executable through unknown channels, contains three executables. One of these executables installs the legitimate Mario game, while the other two, named “java.exe” and “atom.exe,” are discreetly installed in the victim’s AppData directory during the game’s installation.

Once these malicious executables are on the victim’s disk, they are executed to launch an XMR (Monero) miner and a SupremeBot mining client.

The “java.exe” file acts as a Monero miner, gathering information about the victim’s hardware and connecting to a mining server at “gulf[.]moneroocean[.]stream” to initiate mining operations.

Meanwhile, the SupremeBot (“atom.exe”) creates a hidden duplicate of itself in the game’s installation directory. It then creates a scheduled task to execute this copy every 15 minutes, disguising itself under the name of a legitimate process. The initial process is terminated, and the original file is deleted to avoid detection. The malware establishes a command-and-control (C2) connection to transmit information, register the client, and receive mining configuration to start mining Monero.

In addition, the malware retrieves an extra payload from the C2 server, an executable named “wime.exe.” This file is Umbral Stealer, an open-source C# information stealer available on GitHub since April 2023. Umbral Stealer is designed to collect data from the infected Windows device, including stored passwords and cookies from web browsers, cryptocurrency wallets, and credentials and authentication tokens for platforms such as Discord, Minecraft, Roblox, and Telegram. It can also capture screenshots of the victim’s desktop and utilize connected webcams to capture media. The stolen data is stored locally before being exfiltrated to the C2 server.

To evade detection, Umbral Stealer can disable Windows Defender if tamper protection is not enabled. If tamper protection is enabled, it adds its process to Windows Defender’s exclusion list. Additionally, the malware modifies the Windows hosts file, blocking popular antivirus products from communicating with their company sites, thereby impairing their regular operation and effectiveness.

If you have recently downloaded Super Mario 3: Mario Forever, it is recommended to scan your computer for any installed malware and remove any detections. Reset passwords on sensitive sites such as banking, financial, cryptocurrency, and email platforms. Use unique passwords for each site and consider utilizing a password manager to securely store them.

Remember to download games or software only from official sources, such as the publisher’s website or trusted digital content distribution platforms. Prior to launching any downloaded executables, scan them with your antivirus software, and ensure that your security tools are up to date.