Trojanized Super Mario Bros Game Spreads Serious Malware

Onsa MustafaLast Updated: Jun 26, 2023

Researchers from Cyble Research and Intelligence Labs (CRIL) discovered a trojanized Super Mario Bros game installer for Windows to spread multiple malware. These include an XMR miner, a SupremeBot mining client, and the Open-source Umbral stealer.

The threat actors bundled a legitimate installer file of super-mario-forever-v702e with the malicious codes. The researchers pointed out that attackers target gamers because they often use powerful hardware for gaming, which is excellent for mining cryptocurrencies.

Trojanized Super Mario Bros Game Spreads Serious Malware

Mario Forever is a clone of the original Super Mario that attempts to recreate the classic Nintendo game very faithfully.

The threat actors come with the NSIS installer file “Super-Mario-Bros.exe.” The resulting executable file includes three separate executables: “super-mario-forever-v702e.exe,” which is the legitimate Super Mario game application, along with the malicious executables named “java.exe” and “atom.exe.”

Upon executing the “Super-Mario-Bros.exe” file, it drops the “super-mario-forever-v702e.exe” executable in the %appdata% directory and executes it. While executing the file, an Installation Wizard is displayed to proceed with the installation of the “super-mario-forever-v7.02” program.

Once the software is successfully installed, a user interface is launched to play the Super Mario Forever game. However, an XMR (Monero) miner and a SupremeBot mining client are executed in the background.

Upon executing SupremeBot (“atom.exe”), it creates a duplicate of itself. It also put this copy in a hidden folder in the installation directory of the game.

Then “atom.exe” initiates the execution of a scheduled task command that creates a new scheduled task entry that runs every 15 minutes without an end date.

The malware allows: