Certains installateurs de Super Mario distribuent des logiciels malveillants pour Windows

Logiciel malveillant dans Super Mario
Écrit par Carina Wilson

Les chercheurs de Cyble ont découvert un programme d'installation trojanisé pour Super Mario 3: Mario Forever for Windows that infected unsuspecting players with numerous malware.

Super Mario 3: Mario Forever is a free version of the classic Nintendo game developed by Buziol Games and released for Windows in 2003. Since then, the development of the game has continued, several versions have been released with bug fixes and improvements, and today the game is still popular and considered a classic.

Permettez-moi de vous rappeler que nous avons également écrit cela Erbium Infostealer Is Spreading under the Guise of Cracks and Cheats for Games, et aussi que Unusual YTStealer Malware Targets YouTubers.

Read also an interesting review of information security specialists: 5 Dangers of Cracked Games.

Experts from the Cyble company discovered that the attackers created a modified installer for Super Mario 3: Mario Forever, which is presented as a self-extracting executable archive and distributed through unknown channels. Most likely, the infected game is advertised on game forums, social networks, or offered to users through malicious advertising, black hat SEO, and so on..

Logiciel malveillant dans Super Mario
Malicious installer

The archive contains three executable files, one of which installs the game itself (super-mario-forever-v702e.exe) and the other two (java.exe et atom.exe) are silently installed in the AppData directory during game installation.

Logiciel malveillant dans Super Mario

Once the malicious executables are on disk, the installer launches them to launch the XMR (Monero) miner and the SupremeBot mining client.

The java.exe file is a Monero cryptocurrency miner that collects information about the victim’s hardware and connects to the gulf[.]moneroocean[.]stream server to get started.

SupremeBot (atom.exe) creates a copy of itself and places it in a hidden folder in the game’s installation directory. Suivant, it creates a scheduled task to execute this copy, which runs every 15 minutes indefinitely, hiding under the name of a legitimate process.

This terminates the original process and deletes the original file to avoid detection. The malware then establishes a connection to the command and control server to transfer system data, register a client, and receive configuration in order to start mining Monero. Après cela, SupremeBot also receives an additional payload from the server (in the form of an executable named wime.exe).

This last file is an open source Umbral Stealer infostealer written in C# and available on GitHub since April 2023. It steals information stored in browsers from an infected device, including saved passwords and cookies containing session tokens, cryptocurrency wallet data, as well as credentials and authentication tokens for Discord, Minecraft, Roblox et Telegram.

En outre, Umbral Stealer can bypass Windows Defender by disabling the program if tamper protection is not enabled. Sinon, it adds itself to the exclusion list. The malware also modifies the hosts file to disrupt the operation of popular antivirus products and the websites of the respective companies, preventing normal operation.

Logiciel malveillant dans Super Mario
Changes in hosts

The stealer is also able to take screenshots of the victim’s desktop and use webcams connected to the system. Before being sent to the attackersserver, all stolen data is stored locally.

The researchers recommend that anyone who has recently downloaded Super Mario 3: Mario Forever check their computer for installed malware and remove it if any is found.

A propos de l'auteur

Carina Wilson

Avec plus de 10 ans d'expérience en rédaction pour les médias en ligne et imprimés, Je suis un expert dans la production de textes clairs et convaincants.

J'ai écrit pour une agence de rédaction SEO de premier plan ainsi que pour certaines des marques les plus connues du Royaume-Uni., revues et journaux.

Laissez un commentaire