Super Mario Trojanized to Spread Malware

Researchers have spotted a trojanized Super Mario Bros game installer has been found to contain multiple malicious components, including an XMR miner, the SupremeBot mining client and the open-source Umbral Stealer.

The campaign takes advantage of the powerful hardware commonly associated with gaming to mine cryptocurrencies and steal sensitive information. The malware files were found bundled with a legitimate installer file of super-mario-forever-v702e.

The attack chain starts with the trojanized Super Mario Bros game installer, bundled with a legitimate installer file, delivering the malicious payload to unsuspecting users.

Upon execution, the malware silently drops files and initiates their execution. The dropped files include an XMR miner, which utilizes the victim’s computing resources for cryptocurrency mining, and the SupremeBot mining client, responsible for managing the mining process.

The malware also deploys the Umbral Stealer, an open-source information stealer, to pilfer computer name, username, GPU, CPU, and other data from the victim’s system. The stolen data is then transmitted to the attacker’s C2.

Umbral Stealer focuses on targeting the following web browsers:

• Brave
• Chrome
• Chromium
• Comodo
• Edge
• EpicPrivacy
• Iridium
• Opera
• OperaGx
• Slimjet
• Ur
• Vivaldi
• Yandex

The Stealer also specifically targets the below crypto wallets:

• Zcash
• Armory
• Bytecoin
• Jaxx
• Exodus
• Ethereum
• Electrum
• AtomicWallet
• Guarda
• Coinomi

The combination of mining activities and information theft results in financial losses, system performance degradation and resource depletion.

To protect, users and organizations to monitor their system performance, implement strict security policies, refrain from downloading software from untrusted sources and utilize reputable antivirus software.

This research was documented by researchers from Cyble Research Intelligence Labs

Indicators of Compromise

• e9cc8222d121a68b6802ff24a84754e117c55ae09d61d54b2bc96ef6fb267a54
• 41d1024209b738785ace023c36b2165d95eab99b0d892327212b8a5f7c311610
• 1f479a220e41be1c22092d76400565d0f7d8e890d1069a2f8bbdc5f697d9808f
• 88556497794511dde0ca0a1bfee08922288a620c95a8bc6f67d50dbb81684b22
• hxxp://shadowlegion[.]duckdns[.]org/nam/api/endpoint[.]php
• hxxp://silentlegion[.]duckdns[.]org/gate/update[.]php
• hxxp://silentlegion[.]duckdns[.]org/gate/connection[.]php
• hxxp://silentlegion[.]duckdns[.]org/gate/config[.]php
• hxxp[:]//shadowlegion[.]duckdns[.]org/wime[.]exe