‘It’s-a me”…Malware! Trojanized Super Mario Game contains crypto miners

Source: Bleeping Computer

Summary

Researchers have discovered the circulation of a trojanized version of the popular Super Mario 3: Mario Forever game for Windows. The self-extracting archive file is likely promoted through gaming forums, search engine optimization (SEO) manipulation, and smashing.

The file contains three executables: the legitimate game installer and two cryptocurrency mining clients known as XMR and SupremeBot. When the game is installed, the mining clients are automatically installed and configured to begin mining.

SupremeBot takes additional steps to ensure it isn’t detected by creating a copy of itself in a hidden folder and deleting the original file. It also creates a scheduled task that runs every 15 minutes and downloads Umbral Stealer, an info stealer capable of collecting stored passwords, cookies, cryptocurrency wallets, and credentials for various online platforms.

Screenshot of trojanized Super Mario installer (Source: Bleeping Computer)

Analysis

Used properly, cryptocurrency miners are legitimate programs that process cryptocurrency transactions in exchange for a small, predetermined amount of the currency. Miners are inherently resource-heavy and often rely on a device’s graphics card for processing since they are designed to handle complex mathematical calculations simultaneously, which is exactly what is required for cryptocurrency mining.

Miners on their own are more a nuisance than a threat, using up the computer’s resources and slowing it down. However, as this threat brief shows, miners can be a gateway to more malicious malware like ransomware and infostealers.

It’s possible the popular Super Mario game was chosen as the attack vector because the threat actor assumed gamers may have powerful computers capable of mining cryptocurrency at a high rate.

Mitigation

Covalence users are automatically notified when cryptocurrency mining is detected in their environment as well as potentially unwanted applications like file sharing applications which are frequent entry points for malware like this. Covalence users are encouraged to review these AROs as quickly as possible.

Additionally, Field Effect encourages users to only download and install programs from trusted sources rather than URLs sent via unsolicited texts or social media messages.

References

• Monero-mining Botnet Targets Windows, Linux Web Servers
• Defending Against Illicit Cryptocurrency Mining Activity