Consider following on social media!
Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!
Photo by Russell Butcher, please support by following @pexel.com
All might not be so one up in the mushroom kingdom. Gamers who love playing as the tubby loveable plumber hopping in and out of pipes might want to opt for playing his other games until the sewage clears.
In a nutshell, if you have downloaded Super Mario 3: Mario Forever then the game isn’t the only thing that might be running on your computer. We’re going to look at what kind of attack this is, who used it, the functionality and effects upon its release, and what are some ways you can prevent this from being your computer’s last one up.
Photo by Pixabay, please support by following @pexel.com
The Attack
One-upping everyone to speed who is unfamiliar with the loveable plumber, his brother Luigi, the Princess Peach, and everyone in the mushroom kingdom, Mario is a popular platformer game that was released in 1985 on the home console Nintendo Entertainment System or widely known as NES under the title “Super Mario Bros.”
The objective of the game was to rescue the chronically kidnapped Princess Peach from the overgrown-I-don’t-know-how-this-relationship-would-work-because-his-a-lizard-and-she’s-a-human King Bowser. Just know a long story short there are some questionable motives on all parties, but Mario goes on a massive trip to rescue her time and time again. And one of those times was the Super Mario 3: Mario Forever game.
For those who may not know, Mario Forever is a fan-made game that was released in 2003 with the old-school NES side-scrolling and art style with an updated look and some new features.
Within the Super Mario game, trojan malware has been released for unsuspecting gamers with the intent to do some mining. And before you make the joke, it’s not mining with Minecraft. Minecraft has its own problems to dig through.
Photo by cottonbro studio, please support by following @pexel.com
Who Can It Be Now
Digging through research, threat actors were discovered by Cyble—a cyber threat intelligence and research company, that has spotted threat actors distributing a slightly different sample of Super Mario 3 installer.
It has been known that threat actors frequently hide malware in-game installers and since Mario is a highly popular gaming franchise this makes the perfect attack vector for threat actors.
Just when you thought Mario couldn’t plunge himself deeper into your wallet. Thanks a lot Nintendo.
Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?
Z-Daddy: That Derek but in this version there’s two spicy meatballs.
Photo by Pexels User, please support by following @pexel.com
The Sinking Feeling
Appearances of Mario Forever, the trojan edition, have been thought to be seen circulating on gaming forums, and social media outlets, and appearing high up on search results. In this attack, there are three portions.
The first installs the Mario game and the other two secretly creep into the victim’s AppData directory during the installation. Once this process is complete, the installer fires up the XMR and the SupremeBot mining client. All the information about the victim’s machine is collected and sent to a mining server to begin the mining process.
A quick thing to note, XMR which is better known as Monero, is a mining program used by cybercriminals for crypto-jacking. In short, it makes use of the CPU (Central Processing Unit) to mine for Monero coins, the irony. The file for Monero will appear as “java.exe”. While this happens, SupremeBot, which will appear as a file named “atom.exe”, creates a copy of itself and places it in a hidden folder of the game’s installation directory.
Afterward, hiding under the name of a legitimate process, a scheduled task is created to run the copy every 15 minutes indefinitely. The first process is stopped, and the original file is deleted, this is done to avoid detection. Once that is completed, the malware sets up a connection with the C2 (Command and Control) server, here is where the collected data is transmitted, information about the client is registered, and the configuration for mining Monero is run.
SupremeBot then receives the payload from the C2 server in the form of a file named ‘wime.exe.’ This final file is called Umbral Stealer (UmS)—an information stealer programmed in C# designed to steal from infected Windows devices. All the information stored in web browsers such as, but not limited to, stored passwords, cookies, session tokens, crypto wallets, credentials, and authentication tokens for Discord, Minecraft, Roblox, and Telegram.
UmS can also create screenshots of the desktop, gain control of the webcam, and other media devices and collect local data before exiting to the C2 server. If that wasn’t enough, UmS can bypass the Windows Defender if tamper protection isn’t enabled.
If not enabled, UmS will add itself to Defender’s exclusion list, this means if it wasn’t on the welcome list before, it is now. UmS will also configure Windows host files to hinder communication with antivirus products rendering them ineffective. Just when you thought having a little security couldn’t get any smaller.
Photo by cottonbro studio, please support by following @pexel.com
The Prevention
Any gamer will tell you that it’s hard to keep Mario completely safe while traversing Mushroom World on his never-ending quest to rescue Princess Peach. Many know it takes a couple of hits to cost Mario a life, but it only takes one for your computer.
A few ways to defend are downloading from official sources as third-party sources could have malware. It is best to frequently scan any downloads before running them on your computer.
Always make sure your antivirus software is up to date. If you feel as though you may have downloaded an infected version of Mario Forever, then you should scan your computer and remove anything detected.
If found, you should prioritize what is most important and change all passwords to any logins such as personal, banking, emails, and financial immediately. Keep your information safe and let Mario be the one running around in a panic.
Photo by Anurag Sharma, please support by following @pexel.com
Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.
Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.
Do you feel like there is something I may have missed on Monero, SupremeBot, or Umbral Stealer? Script a comment below.
