cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

It’s a me! Malware! – Info stealer discovered in Mario game installer

Hackers have been caught attempting to lure unsuspecting gamers into downloading malicious software after a trojanised installer for a popular Mario title was found online.

user icon Daniel Croft
Mon, 26 Jun 2023
It’s a me! Malware! – Info stealer discovered in Mario game installer
expand image

A free-to-play version of the infamous Super Mario 3, known as Mario Forever, has millions of downloads since its release by Buziol Games in 2003, thanks to updated styling and graphics.

The game saw development support for a decade after its release, which introduced bug fixes and improvements. However, support for the game by its developers has expired, and the final version still remains popular.

Now, researchers from Cyble have discovered that hackers have begun distributing malware through a hijacked installer of the Mario title.

“Recently, CRIL (Cyble Research and Intelligence Labs) identified a trojanised Super Mario Bros game installer that delivers multiple malicious components, including an XMR miner, SupremeBot mining client, and the open-source Umbral Stealer,” said Cyble.

“The malware files were found bundled with a legitimate installer file of super-mario-forever-v702e.”

Cyble said that hackers typically use game installers as the video game market has a wide user base and is full of attractive products that allow threat actors to engage in social engineering tactics that lure victims in.

This includes promotion on gaming forums and on social media, as well as the use of malvertising and black SEO, which involves increasing a site’s SEO ranking by using unethical tactics such as adding structured data to make a page stand out in a search or planting fake positive reviews.

In addition, the large file sizes of games make it easier to hide malware.

The malware-riddled installer works as a self-extracting archive, containing three executables — the legitimate game file, a “java.exe” file, and an “atom.exe” file.

The latter two are installed on the user’s AppData directory and are then executed by the installer, running an XMR (Monero) miner (java.exe), which collects information about the affected user’s system before connecting to a mining server (gulf[.]moneroocean[.]stream), and begins mining data.

In addition, a SupremeBot Mining client (atom.exe) is run, which duplicates itself and places a copy in the game’s installation directory before scheduling a task to execute the copy that runs every 15 minutes, deleting the initial process and file.

A C2 connection is established to transmit information, register the client and receive mining config for the XMR miner.

It then receives an additional file titled “wime.exe”, which is an Umbral Stealer, which steals data such as passwords, cookies, session tokens, crypto wallets, credentials for specific platforms and more.

Umbral Stealer, which is written in C# and is open source, is capable of hiding from Windows Defender by disabling it on devices where tamper protection is turned off. Otherwise, it adds itself to the exclusion list.

It also hinders the effectiveness of anti-virus software by halting communication between devices and company sites, hiding its activity.

With the Mario downloader, it is likely that hackers are playing on the resurgence in popularity that the franchise has seen in recent years, particularly after several major titles such as Mario: Odyssey and a US$100 million film featuring an all start cast, including Chris Pratt, Anya Taylor-Joy, Jack Black and more.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.