Researchers at Cyble spotted a trojanized version of the Super Mario 3: Mario Forever installer targeting Windows. This modified software is distributed in the form of a self-extracting archive executable through unidentified channels. The game is presumably being promoted on gaming forums, social media groups, or pushed onto users through malicious advertising, Black SEO techniques, and similar methods.
Taking a look at the infection chain
The compressed file comprises three executable files.
- The first one, "super-mario-forever-v702e.exe," installs the authentic Mario game. The remaining two executables, namely "java.exe" and "atom.exe," are discreetly installed in the victim's AppData directory during the game's installation process.
- Once these malicious executables are present on the disk, the installer proceeds to execute them, initiating an XMR mining operation and launching a SupremeBot mining client.
- Lastly, the SupremeBot component retrieves an additional payload from the C2 server in the form of an executable file named "wime.exe."
- This file corresponds to Umbral Stealer, an info-stealer designed to pilfer data from the compromised Windows device.
A bit on Umbral Stealer
- Umbral Stealer exfiltrates web browser data (including stored passwords and cookies containing session tokens), cryptocurrency wallets, and credentials and authentication tokens used for popular platforms such as Discord, Minecraft, Roblox, and Telegram.
- It can generate screenshots of the Windows desktop and exploit connected webcams to capture media.
- To avoid detection, the info-stealer incorporates tactics to bypass Windows Defender. If tamper protection is disabled, Umbral Stealer can disable the Windows Defender program entirely.
- However, if tamper protection is enabled, the malware adds its own process to Windows Defender's exclusion list, granting it immunity from detection by the antivirus software.
Furthermore, it manipulates the Windows hosts file, impairing the communication between widely used antivirus products and their respective company sites.
The bottom line
Threat actors find the gaming community's extensive user base attractive for exploiting vulnerabilities. This campaign exploits the Super Mario Forever game to target gamers and high-performance gaming machines. Additionally, it includes a stealer component to gather sensitive information for financial gain. Researchers recommend users check their system performance and CPU usage regularly and implement proper cybersecurity hygiene to stay safe.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/588d_shutterstock_2010923726.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5dc9_shutterstock_2130044327.jpg)
