20 July 2023  — 
Eric Swotinsky

Trojanized Super Mario Bros installer spreads malware

Researchers have discovered a Trojanized Super Mario Bros game installer that delivers multiple forms of malware, including an XMR miner, SupremeBot mining client and Umbral Stealer. 

Attackers bundled the malicious code with a legitimate installer file named "super-mario-forever-v702e." Gamers are often targeted due to their powerful hardware, which is suitable for mining cryptocurrencies. The tampered NSIS installer file, "Super-Mario-Bros.exe," contains three executables: the legitimate Super Mario application, as well as the malicious executables "java.exe" and "atom.exe." When executed, the installer drops and launches the legitimate executable, while the XMR miner and SupremeBot run in the background. The malware connects to a mining server, gathers system information, establishes a connection to a command-and-control server, and retrieves an info-stealing executable that loads Umbral Stealer into memory.

Umbral Stealer can capture screenshots, retrieve passwords and cookies, capture webcam images, obtain session files from messaging platforms, collect data from gaming platforms and gather files related to cryptocurrency wallets.

The AI-powered behavioral detection capabilities in Acronis Cyber Protect Cloud identify and block malware before its execution, keeping endpoints and data safe from threats.