By
Bhushan Akolkar
February 6th, 2024
A recent report from a research and intelligence firm reveals that the Super Mario Forever remake from Buziol Games contains heavy malware.
Hackers have hijacked a Super Mario game and are using it to install crypto-mining malware on unsuspecting Windows devices. Several PC gamers may be helping unscrupulous players that mine crypto and also steal user information.
According to a report from Cyble Research & Intelligence Labs (CRIL), a legitimate installer for Super Mario 3: Mario Forever carries additional payload that contains malware. The intelligence firm reports that the malware can run crypto-mining software that requires heavy computing resources, and steals data from the device. Cyble’s report states:
“Recently, CRIL identified a trojanized Super Mario Bros game installer that delivers multiple malicious components, including an XMR miner, SupremeBot mining client, and the Open-source Umbral stealer. The malware files were found bundled with a legitimate installer file of super-mario-forever-v702e.”
Initially launched in 2003 and developed by Buziol Games, Super Mario 3: Mario Forever is an unofficial free-to-play remake of the original Super Mario from Japanese gaming giant Nintendo. The game became a hit with several million downloads and was applauded by the general public. Gamers loved it because it contained better graphics and improved sound while retaining all of the classic mechanics from the original version. Buziol Games continued to improve the game and released updated versions for at least ten years.
The Super Mario Malware
Cyble researchers state that hackers have now published an adjusted version of the game that features a Trojan Horse. Also known as “Super Mario Forever,” the game has an installer archive with three executables. One of these is the legitimate Super Mario game, while the others are malware. Running the executables installs the malware into the user’s Windows AppData directory.
Upon execution, the installer runs an XMR (Monero) miner and a SupremeBot mining client. The Monero miner steals data from the system and then starts mining after connecting to a mining server.
The other executable duplicates itself into a hidden folder and then deletes the first file to ensure the process is discreet. The duplicated copy runs every 15 minutes with a fake name disguised as a legitimate process. Upon installation, the malware transmits information and pulls remote configuration information for XMR mining.
According to Cyble, the Super Mario malware can take screenshots, capture webcam images, and pull passwords and cookies from a user’s browser. The malware can also steal Discord tokens and session files from Telegram, as well as collect system files connected to crypto wallets.
CRIL’s Recommendations
Cyble’s report includes a few recommendations for people who have installed Super Mario as they may be exposed to malware. According to CRIL, all users should periodically monitor their CPU usage and system performance, and activate automatic software updates for Windows. The recommendations also include using a strong antivirus software or internet security program on the device and other connected devices.
According to a Protos report, this is not the first time hackers have infected Super Mario with malware. Protos says that researchers found “a mess of viruses” associated with Super Mario Forever in the late 2010s.