Trojan Malware Found in Super Mario Game Installer
Cybersecurity firm Cyble recently discovered a modified version of the Super Mario 3: Mario Forever game Windows installer that contains trojan malware. Super Mario 3: Mario Forever is a popular free-to-play remake of the classic Nintendo game, known for its updated graphics and modernized gameplay.
The trojanized game installer is believed to be currently circulating on gaming forums and social media groups. It has also been distributed via malvertising and black hat SEO techniques. The installer is disguised as a self-extracting archive executable.
The extracted archive contains three executables: super-mario-forever-v702e.exe (a legitimate Mario game installer), java.exe, and atom.exe. The latter two install themselves discreetly in the victim's AppData directory.
Once installed, the malicious executables carry out their harmful activities. java.exe acts as a Monero miner, gathering hardware information and connecting to gulf.moneroocean.stream to mine Monero.
atom.exe, also known as SupremeBot, is duplicated in the installation directory and scheduled to run every 15 minutes. To avoid detection, the original process is terminated and the file is deleted. SupremeBot establishes a command-and-control connection to transmit information, register the client, and receive Monero mining configurations.
The final payload of the trojanized installer is wime.exe, which contains Umbral Stealer — an open-source C# information stealer. It collects sensitive data from the infected Windows device, including passwords, session cookies, cryptocurrency wallets, and credentials for platforms like Discord, Minecraft, Roblox, and Telegram. It can also capture screenshots and utilize webcams. The pilfered data is stored locally before being sent to the C2 server.
Umbral Stealer evades detection by disabling Windows Defender or adding its own process to the exclusion list. It also modifies the Windows hosts file to block communication between antivirus products and their company sites, reducing their effectiveness.
Those who have recently downloaded the game are advised to scan their computer for any installed malware. If malware is detected, password resets are recommended for sensitive accounts such as banking, financial, cryptocurrency, and email platforms.
Remember to only download games and software from official sources, such as the publisher's website or trusted digital content distribution platforms. Finally, always make sure to scan downloads with antivirus software before launching them and ensure that your security tools are kept up to date.