A trojanised Super Mario Bros game installer for Windows is spreading multiple malware that can steal passwords, banking card information and mines for cryptocurrency.
Super Mario 3: Mario Forever is a popular free-to-play game for Windows developed by Buziol Games. Released in 2004, the PC game is a remake of the iconic Nintendo game. The developers released several updates for bug fixes, with the latest version in 2020. According to its site, it has received over 7 million downloads.
Now, Cyble cybersecurity analysts discovered an infected version spreading online, executing malware including an XMR miner, SupremeBot mining client and open-source Umbral infostealer. Threat actors trick unsuspecting games by including a legitimate file of Super Mario 3, all while the malware gets to work.
According to the report (via BleepingComputer), “java.exe” and “atom.exe” installers execute an XMR (Monero) miner and SupremeBot mining client for cryptocurrency. The “java.exe” file gathers system information and starts mining on a crypto mining server, while “atom.exe” copies and hides in the game’s folder, establishes a C2 server connection, and starts mining Monero.
There’s also an Umbral Stealer infostealer malware included in the installer. The known malicious software can steal stored web browser data, including login credentials, cryptocurrency wallets, cookies and authentication tokens for platforms including Discord, Telegram, Minecraft and Roblox.
Moreover, the Umbral Stealer can also remotely access webcams and take screenshots. This makes the Super Mario game a considerable risk to unaware gamers looking to install the game.
The malicious game installer is expected to spread through gaming forums, malvertising, dodgy social media groups and more. The malware file reportedly disrupts the communication of antivirus software with the company sites, preventing their usual activities on the device.
- Infostealer malware explained: What is it and how to remove it
- Spyware explained: What is it and how to remove it
How to stop Super Mario Installer
If you’ve recently installed Super Mario 3: Mario Forever on your Windows PC, it’s best to run a scan using an antivirus to check for any malware. You may also want to check for “java.exe” and “atom.exe” within the installer. If anything is detected, delete the game and change your accounts’ passwords to ensure any private information stolen from malicious actors can’t be used.
Use antivirus software to protect your device
The best antivirus software can help detect and protect you from all types of malware, including infostealers and miners such as SupremeBot and Umbral Stealer.
Many AV come with a suite of security features that can get rid of virus, malware, ransomware, spyware or any malicious software that burrows into your device or web browser. Some antivirus software, such as Bitdefender, offers security subscriptions specifically for devices such as a PC, iPhone or Android, making it a more cost-effective option.
We recommend trusted AV software including Avast One, Norton 360 and Bitdefender, as they can efficiently detect and remove malware on your device. Check out our thoughts on each AV below.
- Norton 360 Platinum review: Security multiplied
- Bitdefender review: All-in-one premium security
- Avast One review: Strong antivirus for free!
Perform a safety check
1. On Google Chrome, click on the three vertical dots in the upper-right corner and select Settings.
2. Select Privacy and security in the right-hand toolbar.
3. Under Safety check, click Check now (or the arrow to perform it again).
If Chrome finds any issues, you’ll be able to tap on the option and follow the instructions to see how to handle the it. For those who don’t want to give malware hiding on web pages any chances, you can also turn on Advanced protection.
1. In Privacy and security, click on Safe Browsing under Safety Check (or Security under Privacy and security).
2. Select Enhanced protection to turn it on.
What is infostealer malware?
Information-stealing malware, or infostealer, is a type of malware that gathers information on an infected device to send to a threat actor. It targets login credentials saved in browsers, browsing history, credit card and crypto wallet information, location data, device information, emails, social media platforms and instant messaging clients – anything valuable.
Stolen data is collected in logs and sent to the attacker. Account details and banking card information are the most sought after, as threat actors can use this information for themselves or sell it on dark web markets. Infostealer logs are hugely profitable in underground marketplaces, making them a popular form of malware.
The first sign of infostealers came about in 2007 when cybersecurity analysts detected a Trojan malware called ZeuS, or Zbot. This program aims to steal user credentials and banking information on Microsoft Windows devices to exploit individuals and organisations. It affected users around the globe, leading to the theft of billions of dollars due to its ease of installation and availability as a Malware-as-a-Service (MaaS).
From there, variants of infostealer malware became more widespread. This includes the infamous Racoon infostealer, Vidar, Mars Stealer, BlackGuard and Redline Stealer. Recently, security researchers have seen them being used to steal ChatGPT accounts. This showcases the rise of malicious threat actors using infostealers to gain private data.
