Windows malware spreads through infected Super Mario game

Trojanized Super Mario game infects users with Windows malware

Super Mario fans are getting infected by hidden Windows malware

A trojanized installer for the popular Super Mario 3: Mario Forever game for Windows has been discovered, posing a serious risk to unwary players. This modified version of the game installer, which was distributed through unknown channels, contains a number of malware infections that can jeopardize the security and privacy of affected systems.

Super Mario 3: Mario Forever, released in 2003 by Buziol Games, is a free-to-play remake of the classic Nintendo game. It quickly gained popularity and was downloaded by millions of users who wanted to relive the nostalgic experience, thanks to updated graphics, modernized styling, and familiar gameplay mechanics.

Unfortunately, cybercriminals have exploited the game's popularity by distributing a trojanized version of it. The infected installer is most likely distributed through malicious advertising techniques such as malvertizing^[1] and Black SEO.^[2]

Malicious payloads hidden within the trojanized installer

Users unknowingly introduce multiple malicious payloads onto their systems when they run the trojanized installer. The installer extracts three executables: the legitimate Super Mario 3: Mario Forever game installer and two additional files called “java.exe” and “atom.exe.”

The “java.exe” file functions as a Monero (XMR) cryptocurrency miner,^[3] mining Monero coins using the victim's hardware resources. It connects to a mining server at “gulf[.]moneroocean[.]stream” and begins stealing money from the victim's system.

“atom.exe” on the other hand, installs SupremeBot, a stealthy mining client. To avoid detection, this malware creates a hidden duplicate of itself within the game's installation directory. It also creates a scheduled task that runs the duplicate every 15 minutes while masquerading as a legitimate process name.

Expanding threats and data theft

The trojanized Super Mario game installer does more than just mine cryptocurrency. It also employs Umbral Stealer, an open-source information stealer. This advanced malware can steal sensitive data from infected Windows devices.

Umbral Stealer targets a variety of valuable information, such as stored passwords, session tokens from web browsers, credentials for popular platforms such as Discord, Minecraft, Roblox, and Telegram, and cryptocurrency wallets. Furthermore, the malware can take screenshots of the victim's desktop and use connected webcams to capture media.

Umbral Stealer disables Windows Defender if tamper protection is not enabled and adds its process to the Defender's exclusion list to avoid detection. Furthermore, the malware modifies the Windows hosts file to prevent popular antivirus products from communicating with their respective company websites, rendering them less effective.

Protecting against Super Mario game malware and ensuring security

If you recently downloaded Super Mario 3: Mario Forever, you must immediately scan your computer for any installed malware and remove it. Password resets are strongly advised for sensitive sites such as banking, financial, cryptocurrency, and email platforms.

Remember to use unique and strong passwords for each site when resetting passwords, and use a password manager to securely store them. Furthermore, only download games and software from official sources, such as the publisher's website or reputable digital content distribution platforms.

To strengthen your defenses, scan downloaded executables with up-to-date antivirus software before running them. Updating your security tools on a regular basis ensures that you are protected against emerging threats and vulnerabilities. By remaining vigilant and adhering to these security practices, you can reduce your chances of becoming a victim of trojanized games and other malware attacks, protecting your digital life and personal information.