A trojanized Super Mario Bros game installer has been found to contain multiple malicious components, including an XMR miner, the SupremeBot mining client and the open-source Umbral Stealer.
According to the technical write-up, the malicious campaign takes advantage of the powerful hardware commonly associated with gaming to mine cryptocurrencies and steal sensitive information.
“The malware files were found bundled with a legitimate installer file of super-mario-forever-v702e,” CRIL explained. “This incident highlights another reason TAs [threat actors] utilize game installers as a delivery mechanism.”
The attack chain starts with the trojanized Super Mario Bros game installer, bundled with a legitimate installer file, delivering the malicious payload to unsuspecting users.
Upon execution, the malware silently drops files and initiates their execution. The dropped files include an XMR miner, which utilizes the victim’s computing resources for cryptocurrency mining, and the SupremeBot mining client, responsible for managing the mining process.
The malware also deploys the Umbral Stealer, an open-source information stealer, to pilfer computer name, username, GPU, CPU and other data from the victim’s system. The stolen data is then transmitted to the attacker’s command and control server (C2).
According to CRIL, the combination of mining activities and information theft results in financial losses, system performance degradation and resource depletion.
“As a consequence, both individual users and organizations suffer severe productivity setbacks,” reads the advisory.
To protect against threats like this, the company advised users and organizations to monitor their system performance, implement strict security policies, refrain from downloading software from untrusted sources and utilize reputable antivirus software.
“CRIL maintains vigilant monitoring of the most recent malware variants in circulation, ensuring the continual updating of blogs with actionable intelligence to safeguard users against such attacks,” the advisory concludes.
Editorial image credit: Andrei Armiagov / Shutterstock.com