Trojanized Super Mario Bros Game Installer
June 27th, 2023 - Written By CyberLabs
In a recent discovery, researchers from Cyble Research and Intelligence Labs (CRIL) uncovered a concerning cybersecurity threat that involved a trojanized Super Mario Bros game installer for Windows. This malicious installer was cleverly designed to deliver multiple malware, including an XMR miner, SupremeBot mining client, and the Open-source Umbral stealer
Gamers have always been an attractive target for cybercriminals due to several reasons. Firstly, gamers often possess powerful hardware that is essential for playing resource-intensive games. This hardware, particularly the Graphics Processing Units (GPUs) and Central Processing Units (CPUs), can be utilized for mining cryptocurrencies. Additionally, gamers are known to spend significant amounts of time online, making them susceptible to various online threats. The combination of powerful hardware and extended online presence makes gamers an ideal target for cyber attacks.
Execution and Installation Process
The researchers at Cyble discovered that threat actors had tampered with the NSIS installer file of the popular game “Super M
Mario Forever (Cyble)
ario Bros.” The legitimate installer file, “Super-Mario-Bros.exe,” was modified to include malicious code. The attackers bundled the legitimate installer file of “super-mario-forever-v702e” with the trojanized code, creating a deceptive package.
Upon executing the trojanized installer, the legitimate game application “super-mario-forever-v702e.exe” is dropped into the %appdata% directory and executed. The user is presented with an Installation Wizard, seemingly for the installation of the genuine Super Mario Forever game. Unbeknownst to the user, the background installation process initiates the execution of an XMR (Monero) miner and a SupremeBot mining client.
Malware Payloads and Activities
The malicious executables, “java.exe” and “atom.exe,” play critical roles mymedic.es in the attack. When the “java.exe” is executed, it establishes a connection with a mining server to carry out cryptocurrency mining activities. Concurrently, the malware collects valuable data from the victim’s system, including computer name, username, GPU, CPU, and other relevant details. This sensitive information is then transmitted to a Command and Control (C&C) server via a specific URL API.
On the other hand, executing the SupremeBot (“atom.exe”) creates a duplicate of itself, which is placed in a hidden folder within the game’s installation directory. The duplicate initiates a scheduled task command that runs every 15 minutes without an end date. Once executed, it terminates the “atom.exe” process and removes its associated file from the system. The dropped file then establishes a connection to the C&C server, registering the client and receiving the configuration for the Monero miner.
Cryptocurrency Mining and Data Theft
The primary objective of the trojanized installer is twofold: cryptocurrency mining and data theft.
The XMR miner exploits the victim’s hardware resources to mine Monero, a popular cryptocurrency. Meanwhile, the SupremeBot mining client assists in the mining process, optimizing the mining activities for maximum efficiency.
Simultaneously, the Umbral Stealer, an open-source malware, comes into play. It is loaded into the system’s memory through the execution of the info-stealing executable named “wime.exe” retrieved from the C&C server. The Umbral Stealer is capable of capturing screenshots, retrieving browser passwords and cookies, capturing webcam images, obtaining session files of messaging platforms like Telegram and Discord, acquiring cookies from gaming platforms like Roblox, collecting Minecraft session files, and acquiring files associated with cryptocurrency wallets.
Protection Measures for Gamers
To protect themselves from such threats, gamers should follow certain security practices.
- Download games and related files from trusted sources.
- Verifying the integrity of installer files and using reputable antivirus software can help identify potential threats.
- Regular system updates, including patches for games and operating systems, should be maintained to address security vulnerabilities.
- Use strong and unique passwords
- Enabling two-factor authentication
- Being cautious of suspicious links and emails
Source
https://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/
Recently,
