A trojanized Super Mario 3 installation program: Multiple malware infections have been affecting players of the Windows version of Mario Forever.
Mario Kart 3: Buziol Games created the free-to-play remake of the classic Nintendo game Mario Forever, which was made available for Windows in 2003.
Millions of people downloaded the game, which was praised for incorporating all of the classic Mario series’ mechanics with modernized graphics and sound.
The game’s development continued for a further ten years, with numerous updates that included bug fixes and enhancements. It continues to be a post-modern classic today.
Focusing on gamers
Specialists from Cyble found that danger entertainers are circulating a changed example of the Super Mario 3: Mario Forever installer, distributed via unidentified channels as an executable self-extracting archive.
The trojanized game is probably distributed to users via malvertising, Black SEO, or other methods on gaming forums and social media groups.
One of the executables in the archive—super-mario-forever-v702e.exe—is used to install the genuine Mario game; the other two—java.exe and atom.exe—are used to covertly install the game into the victim’s AppData directory.
The installer uses the malicious executables that are on the disk to run a SupremeBot mining client and an XMR (Monero) miner.
A Monero miner is the “java.exe” file, which connects to a mining server at “gulf[.]moneroocean[.]stream” to begin mining. It gathers information about the victim’s hardware.
SupremeBot (atom.exe) makes a copy of itself and places it in a secret folder in the installation directory of the game.
After that, it creates a scheduled task that runs every 15 minutes indefinitely under the name of a legitimate process to execute the copy.
To avoid detection, the original file is deleted and the initial process is terminated. After that, the malware sets up a C2 connection to send information, register the client, and get mining configuration so that it can start mining Monero.
Last but not least, SupremeBot acquires an additional payload from the C2, which is delivered as the executable “wime.exe.”
Umbral Stealer, an open-source C# information stealer that has been available on GitHub since April 2023 and steals data from the infected Windows device, is the final file.
Web browser passwords and cookies containing session tokens, cryptocurrency wallets, and credentials and authentication tokens for Discord, Minecraft, Roblox, and Telegram are among the stolen data.
Additionally, Umbral Stealer is able to capture media via connected webcams and take screenshots of the victim’s Windows desktop. Before being transferred to the C2 server, all stolen data is stored locally.
If tamper protection is disabled, the info-stealer can bypass Windows Defender by disabling the program. If not, the Defender adds its process to its exclusion list.
In addition, the malware alters the Windows hosts file in such a way that it prevents popular antivirus programs from communicating with company websites, thereby hindering their regular operation and effectiveness.
On the off chance that you have as of late downloaded Super Mario 3: If you play Mario Forever, you should check your computer for malware and get rid of any that you find.
Resetting your passwords on sensitive websites, such as banking, financial, cryptocurrency, and email sites, should be done if malware is detected. Use a different password for each website when resetting passwords, and store them in a password manager.
It’s also important to keep in mind that downloading software or games should only be done from trusted digital content distribution platforms or the publisher’s website.
Before running downloaded executables, always use antivirus software to scan them. Also, make sure your security tools are up to date.
