Hackers have been caught trying to lure unsuspecting gamers into downloading malicious software after a trojanized installer for a popular Mario The title was found online.
A free version of the infamous Super Mario 3known as Mario foreverIt has millions of downloads since its release by Buziol Games in 2003, thanks to its updated style and graphics.
The game received development support for a decade after its release, introducing bug fixes and improvements. However, support for the game by its developers has expired and the final version remains popular.
Now, researchers at Cyble have discovered that hackers have begun distributing malware via a hijacked installer from the Mario qualification.
“Recently, CRIL (Cyble Research and Intelligence Labs) identified a Trojanized virus Super Mario Bros. game installer that offers multiple malicious components, including an XMR miner, a SupremeBot mining client, and the open source Umbral Stealer,” Cyble said.
“The malware files were found included in a legitimate installation file of super-mario-forever-v702e.”
Cyble said hackers often use game installers, as the video game market has a broad user base and is full of attractive products that allow threat actors to engage in social engineering tactics that attract victims.
This includes promotion on gaming forums and social media, as well as the use of malvertising and black SEO, which involves increasing a site’s SEO ranking by using unethical tactics, such as adding structured data to make a page stand out in a search or place false information. positive reviews.
Additionally, the large size of game files makes it easy to hide malware.
The malware-ridden installer works as a self-extracting archive containing three executable files: the legitimate game file, a “java.exe” file, and an “atom.exe” file.
The latter two are installed in the user’s AppData directory and are then executed by the installer, running an XMR (Monero) miner (java.exe), which collects information about the affected user’s system before connecting to a mining server ( gulf[.]moneroocean[.]stream) and starts extracting data.
Additionally, a SupremeBot Mining client (atom.exe) is run, which duplicates itself and places a copy in the game installation directory before scheduling a task to run the copy that runs every 15 minutes, killing the process and file. initial.
A C2 connection is established to transmit information, register the client, and receive mining settings for the XMR miner.
You then receive an additional file titled “wime.exe”, which is a Threshold Stealer, which steals data such as passwords, cookies, session tokens, crypto wallets, credentials for specific platforms and more.
Threshold Stealer, which is written in C# and is open source, is capable of hiding from Windows Defender by disabling it on devices where tamper protection is disabled. Otherwise, it is added to the exclusion list.
It also hinders the effectiveness of antivirus software by stopping communication between devices and company sites, hiding their activity.
With the Mario downloader, hackers are likely taking advantage of the resurgence in popularity the franchise has experienced in recent years, particularly after several major titles like Mario: Odyssey and a $100 million movie with an all-star cast including Chris Pratt, Anya Taylor-Joy, Jack Black and more.