{"id":22326,"date":"2023-06-27T16:10:04","date_gmt":"2023-06-28T00:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/06\/27\/news-16056\/"},"modified":"2023-06-27T16:10:04","modified_gmt":"2023-06-28T00:10:04","slug":"news-16056","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/06\/27\/news-16056\/","title":{"rendered":"SupremeBot and Mario cross the finish line together"},"content":{"rendered":"<p><a href=\"https:\/\/blog.cyble.com\/2023\/06\/23\/trojanized-super-mario-game-installer-spreads-supremebot-malware\/\" target=\"_blank\" rel=\"nofollow\">Researchers have reported<\/a>&nbsp;how popular game installers like Super Mario Games are being used to deliver malware. The malicious components include cryptominers, the SupremeBot mining client, and the open-source Umbral stealer.<\/p>\n<p>The game installers route offers some very distinct advantages to the cybercriminals:<\/p>\n<ul>\n<li>The games are very popular and downloads are highly sought after, which increases the chances of people downloading them<\/li>\n<li>Game installers are large files which means they can&rsquo;t be uploaded to most online malware scanners<\/li>\n<li>The game install finishes, so the user trusts the installer did what it promised to do and the extras get ignored<\/li>\n<li>The targeted systems are high performance machines suitable for playing games. Which means they can be expected to be useful in the intended mining activity<\/li>\n<\/ul>\n<p>The researchers looked at a trojanized version of a Super Mario game installer which came as an NSIS installer. NSIS (Nullsoft Scriptable Install System) is a professional open source system to create Windows installers. In this case it was used to combine three executable files, one of which was the legitimate Super Mario Forever game.<\/p>\n<p>But while the victim is going through the steps of the installation wizard for their game, in the background two secretly dropped files are executed by the same installer.<\/p>\n<ol>\n<li>An <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2017\/12\/how-cryptocurrency-mining-works-bitcoin-vs-monero\">XMR (Monero) miner<\/a> which operates stealthily in the background to mine cryptocurrency for the cybercriminal without authorization and while using system resources in amounts that could be harmful<\/li>\n<li>SupremeBot, a mining client which also downloads a file from a <a href=\"https:\/\/www.malwarebytes.com\/glossary\/cc\">Command &amp; Control (C2) server<\/a>. In this case an information-stealer identified as the Umbral Stealer<\/li>\n<\/ol>\n<p>The SupremeBot malware uses some techniques to stay under the radar. First it creates a copy of itself called Super-Mario-Bros.exe and drops that in a randomly named subfolder of the ProgramData folder. It also creates a new <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2015\/03\/scheduled-tasks\">scheduled task <\/a>that runs every 15 minutes to run that copy. When that persistence is set up it kills the process and deletes the original file.<\/p>\n<p>The new copy sends the victim system&rsquo;s CPU and GPU versions as identifiers to a C2 server to verify if the client is registered. If not, the new client is added and receives XMRig CPU and GPU mining configuration details from the C2 server.<\/p>\n<p>When all that is set up it downloads a <a href=\"https:\/\/www.malwarebytes.com\/blog\/detections\/trojan-malpack-themida\">Themida packed file<\/a>. Upon execution, this file unpacks itself and loads the Umbral Stealer into the process memory. The Umbral Stealer is a Windows-based information stealer, which is available on GitHub as an open-source project. It uses Discord webhooks to send collected data to the cybercriminal.<\/p>\n<p>The collected data is obtained from the affected system by:<\/p>\n<ul>\n<li>Capturing screenshots<\/li>\n<li>Retrieving browser passwords and cookies<\/li>\n<li>Capturing webcam images<\/li>\n<li>Obtaining telegram session files and discord tokens<\/li>\n<li>Acquiring Roblox cookies and Minecraft session files<\/li>\n<li>Collecting files associated with cryptocurrency wallets<\/li>\n<\/ul>\n<h2>Advice<\/h2>\n<p>To prevent falling victim, here are some guidelines:<\/p>\n<ul>\n<li>Only download from trusted sources<\/li>\n<li>Monitor your system for high CPU usage and other performance issues<\/li>\n<li>Use an updated and real-time anti-malware protection<\/li>\n<\/ul>\n<p>C2 servers:<\/p>\n<p>silentlegion[.]duckdns[.]org<\/p>\n<p>shadowlegion[.]duckdns[.]org<\/p>\n<p style=\"margin: 0cm 0cm 8pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/easset_upload_file96258_270911_e.png\" alt=\"Malwarebytes blocks silentlegion.duckdns.org\" width=\"540\" height=\"309\" \/><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/easset_upload_file72438_270911_e.png\" alt=\"Malwarebytes blocks shadowlegion.duckdns.org\" width=\"539\" height=\"309\" \/><\/p>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes EDR and MDR remove all remnants of ransomware and&nbsp;prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\" class=\"blue-cta-bttn\">TRY NOW<\/a><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/supremebot-and-mario-cross-the-finish-line-together\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: Mario<\/p>\n<p>Tags:  SupremBot<\/p>\n<p>Tags:  XMR miner<\/p>\n<p>Tags:  cryptominers<\/p>\n<p>Tags:  mining client<\/p>\n<p>Tags:  scheduled task<\/p>\n<p>Tags:  C2<\/p>\n<p>Download your games from trusted sources or you may get more than you bargained for&#8230;<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/supremebot-and-mario-cross-the-finish-line-together\" title=\"SupremeBot and Mario cross the finish line together\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/supremebot-and-mario-cross-the-finish-line-together\">SupremeBot and Mario cross the finish line together<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[24773,15826,9563,29659,32,26768,29657,29658],"class_list":["post-22326","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-c2","tag-cryptominers","tag-mario","tag-mining-client","tag-news","tag-scheduled-task","tag-suprembot","tag-xmr-miner"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22326"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22326\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}