Researchers discover hidden malware in Super Mario game installer

Cybersecurity researchers from Cyble have discovered a trojanized Super Mario 3: Mario Forever installer distributing Monero mining malware, Bleeping Computer reports.

The installer contains three executables, including one that installs the game. However, it also has “java.exe” and “atom.exe” that are installed in the victim’s AppData directory.

Once installed, the installer runs the programs to launch an XMR (Monero) miner and a SupremeBot mining programme.

The “java.exe” file is the Monero miner and not a Java runtime, the researchers found. It connects to a mining server at “gulf[.]moneroocean[.]stream”.

“Atom.exe” is the SupremeBot mining client, which duplicates itself and creates a scheduled task to execute the copy that runs every 15 minutes.

It then establishes a command and control (C2) connection to transmit information, register the client, and get the necessary configuration to start mining.

Through its C2 connection, SupremeBot fetches a “wime.exe” executable file.

“Wime.exe” is an Umbral Stealer, which steals data, including stored passwords and cookies containing session tokens, cryptocurrency wallets and credentials, and authentication tokens for various games and other platforms.

The Umbral Stealer successfully evades Windows Defender by disabling it if tamper protection isn’t active and, if enabled, by adding its process to the exclusion list.

Super Mario 3: Mario Forever is a free-to-play remake of the Nintendo classic for the Windows operating system.

The title was very popular and has accumulated millions of downloads since its launch in 2003.

Now read: These cheap Android phones could be stealing South African WhatsApp accounts