Mario Forever, malware too: a free game with a miner and Trojans inside

Malicious versions of the free-to-download game Super Mario 3: Mario Forever plant a miner and a stealer on gamers’ machines.

Malware in the free game Super Mario 3: Mario Forever

We often talk about the perils of downloading pirated versions of games, since they may harbor malware. But they aren’t the only threat. Nasty surprises can pop up in free-to-play games, too, which is what happened just recently with Super Mario 3: Mario Forever. But first things first…

Malware in free-to-play Super Mario 3: Mario Forever

The Super Mario series (aka Super Mario Bros. or simply Mario) is one of the best-loved gaming universes. In its 38 years of existence there’ve been 24 original games in the main series alone, not to mention dozens of remakes and remasters. Besides that, there are seven spin-off series adding scores of games to the Mario universe. That said, they do all have one thing in common: all of these games — save for the rarest of exceptions — were officially released solely on Nintendo’s own platforms.

So what do you do if you want to play Mario on your computer? You have to download either a PC port or a so-called fangame. Bear in mind, however, that neither option is official or available for download on Nintendo’s own website.

Therefore, the search can often lead down some dark corridors, where enterprising-yet-dodgy types might slip you something malicious instead of a game. Something like this just happened with the free game Super Mario 3: Mario Forever, created by fans. Experts found versions of the game that infected the victim’s computer with several kinds of malware all at once.

What’s inside the infected Mario Forever

The attack chain is as follows: when the Mario Forever distribution kit is launched, the game gets installed on the computer, together with the SupremeBot mining client and a malicious Monero (XMR) miner. The mining client then installs another piece of malware on the computer — the Umbral stealer.

Umbral earns its crust by stealing almost any information of value that it can find on the victim’s machine: browser-stored credentials, cryptowallet keys, as well as session tokens — small files by which a site or online service remembers you so there’s no need to keep logging in (a bit like cookies). Umbral is particularly fond of hunting Discord, Telegram, Roblox and Minecraft tokens. Besides, the stealer can get webcam footage and screenshots from the infected computer. All in all, a particularly nasty piece of malware with wide-ranging functionality.

The result is a Pandora’s box of troubles for victims of the infected Super Mario 3: Mario Forever. First, their computers become sluggish and consume more power than usual due to background mining. Second, they’re at risk of account hijacking due to Umbral stealing their passwords. Third, and worst of all: if any cryptowallet private keys are stored on the computer, this threatens direct financial loss.

Gamer-attacking malware

In general, this problem is quite widespread. Pirated and free games from dubious sources are ideal territory for malicious miners. Gaming computers tend to be high-spec — especially the graphics card, which is what’s needed for mining in the first place.

This means they’re far better suited to mining cryptocurrency behind the user’s back than some boringly slow office machine. Detecting a hidden miner on your own is quite a hard job — one that requires a good antivirus.

Incidentally, the above-mentioned Roblox and Minecraft, for which Umbral likes to steal account session tokens, traditionally top the rankings of games most targeted by cybercriminals: from phishers to malware spreaders. Most recently, we wrote about how the Fractureiser stealer was distributed under the guise of Minecraft mods.

Protect yourself!

Finally, a few tips for gamers on how not to fall victim to cybercriminals:

  • Download games only from official sources. This is the only guaranteed way not to pick up something unpleasant.
  • If you’re looking to save money on games, there are safer methods than downloading pirated copies from shady sites and torrents.
  • Don’t fall for pie-in-the-sky promises. A long-awaited game will not be downloadable before its official release (not legally at least), while a non-existent version for your particular platform won’t materialize through wishful thinking.
  • Be careful when downloading and installing mods, and especially cheats — the latter are best avoided entirely, of course.
  • To guard against stealers, try not to save passwords in your browser. Better to use a reliable password manager.
  • And be sure to have installed on your gaming machine a robust solution with a special gaming mode that keeps you safe during play with no irritating slowdown.