There’s an old rule that everybody on the internet is supposed to abide by: don’t download random shit. Seems easy enough, right? Unfortunately, as often as folks may hear this, many just can’t seem to get it through their heads.
Case in point: security researchers recently revealed that a trojanized version of Mario Forever is making the rounds that will make you wish you’d never been born. Mario Forever (also called Super Mario 3: Mario Forever) is a free-to-play 2003 fan game that was created to mimic the style and imagery of Nintendo’s original Super Mario Bros. It is officially distributed by Softendo, a website that claims to host free versions of Mario fan games (of which there are apparently quite a few). Mario Forever has been downloaded millions and millions of times.
Unfortunately, as fun as Mario Forever may sound, some circulating Windows versions of it have been laced with a hidden malware that is seriously not fun. Not only is this malicious program designed to convert your hardware into an unwitting crypto-mining machine, but it also deploys a highly invasive malware designed to steal pretty much all of the information on your computer.
It’s unclear exactly where the malicious versions of the game are coming from, although they’re likely being distributed on gaming forums, per the researchers. Historically speaking, gaming and cheat forums can be quite sketchy, and are often riddled with malware that will seriously bork your computer if you’re not careful.
Cybersecurity firm Cyble originally discovered the malware and wrote an in-depth analysis of how it works. According to the security researchers there, the problematic program is an installer of the Mario fan game that has been maliciously modified. The program does, in fact, install the Mario game onto the recipient’s computer. However, it also quietly installs two other malicious executables that are designed to set up a Monero-mining operation using the victim’s Windows hardware. Finally, the program also downloads an additional payload from its C-2 (the server directing its malicious activities), which is a data-pilfering program known as Umbral Stealer. This last program sets about stealing a whole bunch of stuff from your browser you really don’t want stolen — “passwords and cookies containing session tokens, cryptocurrency wallets, and credentials and authentication tokens for Discord, Minecraft, Roblox, and Telegram,” Bleeping Computer reports.
As always, it might be wise for gamers to avoid the shadier byways of the internet if they want to avoid a headache of epic proportions.