Better Scan Your PC For Malware If You Installed This Super Mario Game
If you are going to download a program, it may be worth knowing whether you are getting it from the authentic source or a threat actor in between. Such is the case with a trojanized Super Mario game which has been mining cryptocurrency and stealing data while people casually played Super Mario Forever.
Exploiting users’ trust through social engineering, leveraging general trust in game installers, and leaning on large file sizes and complexity of installers allow threat actors to get away with packaging malware with game installers, say researchers at Cyble. This malware can then be monetized for the threat actor by stealing information, running ransomware, or otherwise. However, in this instance, Cyble Research and Intelligence Labs (CRIL) found that a trojanized Super Mario Bros game installer delivered a cryptocurrency miner and information stealer to unsuspecting victims.
While the legitimate Super Mario game is running normally, a Monero miner and SupremeBot mining client are installed in the background to kick off the infection chain. The mining client then establishes communication with a command and control (C2) server to pull the miner configuration to the victim’s machine. Further, the client also downloads the open-source Umbral Stealer information-stealing malware, which takes sensitive data from browsers, captures screenshots and webcam images, goes after cryptocurrency wallets, and more. This information is then shipped off via Discord webhook to the threat actor’s server on Discord.
Of course, this is not the first time a threat actor has used games as a disguise for malware, such as the recent Pokémon NFT card game malware or the earlier Epic Games launcher malware. Given this and older incidents, it is always good to ensure you are getting a game installer from the source and not a third-party location. Moreover, turning your antivirus or other security solution on and verifying it is up to date would be worthwhile, even if that is simply Microsoft Defender. You never know what could be lurking in any installer.