Attackers Exploit Legitimate Super Mario Game Installer to Spread Malware
Motivation and Method of Attack
Attackers have recently targeted a legitimate installer for the popular Super Mario Bros game to distribute various malware infections. The Cyble Research and Intelligence Labs (CRIL) discovered that the installer for Super Mario 3: Mario Forever, a free Windows version of the Nintendo game, contains a cryptocurrency miner, an info stealer, and a mining client. By leveraging the trust gamers have in legitimate game installers, threat actors deliver malware to a wide audience, which can be monetized through stealing sensitive information and conducting ransomware attacks.
Malware Components
The malicious installer, named “Super-Mario-Bros.exe,” contains three executables. The first is a genuine and safe Super Mario game application. However, the other two executables, “java.exe” and “atom.exe,” are malicious and deliver the malware. The “java.exe” file is an XMR miner executable designed to mine the Monero cryptocurrency, and the “atom.exe” file serves as a SupremeBot mining client and delivers the Umbral Stealer. The Umbral Stealer, written in C#, steals credentials and other data from popular browsers, captures screenshots and webcam images, steals session files from messaging platforms like Telegram and Discord, and collects files associated with cryptocurrency wallets. The stolen data is saved in temporary directories and transmitted to the attacker using Discord webhooks.
Implications for Businesses
The discovery of this malware is particularly concerning for businesses with remote or hybrid workers who use personal devices for work purposes. With the prevalence of personal devices being used for work, the chances of inadvertently downloading malware increases. Organizations need to be vigilant in educating employees about the risks associated with downloading software from untrusted sources.
Avoiding and Mitigating Cyberattacks
The Cyble researchers offer several recommendations to avoid and mitigate the Super Mario cyberattack:
1. Avoid downloading from untrusted sources:
Users should avoid downloading software, especially games, from Warez/Torrent websites. These websites are often breeding grounds for malware, and downloading from them increases the risk of infection. This holds true for users working on corporate networks, as a malware infection from an infected game installer can easily spread throughout the enterprise.
2. Provide security awareness and training:
Organizations should invest in security awareness and training programs to educate employees about the risks of opening untrusted links and email attachments. Employees should verify the authenticity of such links and attachments and learn to identify phishing attacks and untrusted URLs within them.
3. Update information security policies:
Organizations should update their information security and acceptable usage policies to explicitly prohibit the downloading and installation of cryptomining software on end-user systems. This proactive measure helps create a security-conscious culture within the organization.
4. Block URLs from known torrent sites:
Implementing web filtering mechanisms to block URLs from known torrent sites can help prevent users from inadvertently visiting these sites and downloading malware.
5. Monitor CPU and RAM utilization:
Regularly monitoring endpoints and servers for unexpected spikes in CPU and RAM utilization can indicate potential malware infections. Promptly investigating and addressing such incidents can help mitigate the spread of accidentally downloaded malware on corporate systems.
Conclusion
The discovery of malware embedded in a legitimate Super Mario game installer highlights the ongoing threat of attackers leveraging popular software to distribute malware. As attackers become increasingly sophisticated, it is essential for individuals and organizations to stay vigilant, follow best security practices, and continuously update their defenses to prevent falling victim to such cyberattacks.
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of any other agency, organization, employer, or company. Examples of analysis performed within this article are only examples. They should not be utilized in real-world analytic products as they are based only on very limited and dated open source information.
<< photo by Yan Krukau >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Hacker Arrested in Spain Receives 5-Year Sentence for Twitter Breach and Beyond
- The Growing Threat of Cybercrime: British Twitter Hacker Receives Prison Sentence
- Navigating the Choppy Waters of a Data Breach: An Ethical Guide in 3 Steps
- Fortinet Takes Action: Patching a Critical RCE Vulnerability in FortiNAC
- JokerSpy macOS Backdoor: The Latest Threat to Japanese Cryptocurrency Exchanges
- Uncovering the Exploited Vulnerability in Zyxel NAS: CISA’s Latest Findings
- BIND Vulnerabilities Patched: Securing Remote Systems from DoS Attacks
- Sumsub Unveils Cutting-Edge AI Tool to Combat Deepfake Threats
- China’s Mustang Panda APT Takes Espionage Cross-Border: USB Drives as Spyware Delivery Tools
- The Rising Threat: Condi Malware Hijacks TP-Link Wi-Fi Routers for Massive DDoS Botnet Attacks
- Millions of Repos on GitHub: A Looming Hijacking Crisis
- Exploring the Dangerous Convergence: Unveiling the PindOS JavaScript Dropper
- Beware: Job Scams Lurk, Targeting Job Seekers
- Why Immediate Patching of Cisco AnyConnect Bug is Crucial to Prevent Exploitation
- Corporate Responsibility in the Face of Cybersecurity: Enphase’s Controversial Decision
- Crypto Thieves Attack Again: New Loader Steals Cryptocurrency Info via Image Spyware
