

“Concurrently, the malware gathers valuable data from the victim’s system, including computer name, username, GPU, CPU, and other relevant details. “When “java.exe” is executed, the malware establishes a connection with a mining server “gulfmonerooceanstream” to carry out cryptocurrency mining activities.” reads the report published by Cyble. However, an XMR (Monero) miner and a SupremeBot mining client are executed in the background. Once the software is successfully installed, a user interface is launched to play the Super Mario Forever game. While executing the file, an Installation Wizard is displayed to proceed with the installation of the “super-mario-forever-v7.02” program. Upon executing the “Super-Mario-Bros.exe” file, it drops the “super-mario-forever-v702e.exe” executable in the %appdata% directory and executes it. The threat actors tampered with the NSIS installer file “Super-Mario-Bros.exe,” the resulting executable file includes three separate executables: “super-mario-forever-v702e.exe,” which is the legitimate Super Mario game application, along with the malicious executables named “java.exe” and “atom.exe,” as shown below.


Mario Forever is a clone of the original Super Mario that attempts to recreate the classic Nintendo game very faithfully.
