Mario Forever contains crypto malware – my quest for a clean version

Security experts from Cyble have detected malware in Super Mario 3: Mario Forever. Or rather in a manipulated type of version 702e. It’s about three years old and also the latest version of the game.

Mario Forever was originally developed by Buziol Games in 2003. So it wasn’t made by Nintendo. Rather, it’s an homage to Super Mario Bros. 3 on the NES. Several original game elements were included to give players that NES feeling. The free game has been downloaded and played millions of times. I also want to play it. Just minus the malware. So how do I go about this?

Where did the contaminated version come from?

Cyble assumes it was distributed via gaming forums, social media groups or malvertising in general. The installer’s called «super-mario-forever7092e.exe». The file also contains the malware. Of course, it’s not called «EvilMalware.exe», but has an unsuspicious name that fits the game.

As a general rule, you should be cautious when downloading files. A version of 702e that’s been tampered with has now been discovered. This doesn’t mean all other versions of the game are free from malware. The game’s available for download on dozens of forums as well as from third-party suppliers. Even if you search for the game on Google, the software may be compromised.

What does the malware do?

Cyble’s detected malicious software in the game installer package. One of them is the programme SupremeBot – a mining client that mines for the cryptocurrency Monero on infected computers. The tool connects to the mining server and transfers the coins to it. This mining process requires a lot of resources. So if your system load is huge for no reason, this could be an indicator.

The tool’s clever. First, it duplicates itself. After that, the copy hides in the Windows App Data folder, where it becomes hard to detect. The original deletes itself. After that, SupremeBot runs every 15 minutes. It uses a different, inconspicuous process name every time. By doing so, the malware is hiding both from you and any protection programs you might have. Last but not least, a malware called Umbral follows suit. This so-called stealer will fly under your Windows Defender’s radar under certain circumstances. This is because the process is smuggled into Defender’s list of exceptions by the SupremeBot. Currently, it’s still unclear which virus scanners detect the file and which don’t.

This program steals data from your PC. It also provides SupremeBot information about your cryptowallets. According to Cyble, the malware can take screenshots, record webcam images and extract passwords and cookies from the browser. Even Discord tokens and Telegram login credentials aren’t safe from being tapped into.

Moreover, the malware’s capable of modifying the host file. This can prevent access to certain antivirus websites. It simply redirects the domain name to IP 0.0.0.0.

Am I affected?

It remains unclear how the malware-spiked game versions have been circulating. As is how many versions of them are out there. Or which channels they’re being offered on. The game’s old and available for free, so there are many third-party providers.

To find out if you’ve installed an infected version, follow these steps:

1. Check if the installer produced any additional .EXE files or shortcuts after it was run. Be sure to delete these.
2. Have you executed all these EXE files? Then check your CPU load. Is it unusually high? In that case it’s possible your PC is mining. This means you need to look for suspicious processes.
3. Check your Appdata folder (C:\Users\Username\Appdata). Sort the files by date and see if a file was slipped in at the time you installed the game. Can you spot any of the following three files: Java.exe, Atom.exe or wime.exe? That’s bad news. Delete it.

And remember to keep Windows and your virus scanner up to date.

I’ve been infected! What should I do?

If Umbral is detected by your virus scanner, you should delete it (your virus scanner will give you this option). As it grabs data from your browser, you should change passwords you use to access services. At least, if you’ve saved them in your browser. Also make sure to change access data to Discord or Telegram. The same applies if you get a notification from your firewall. If you see that attempts were made to connect to C2 servers called «shadowlegion» or «silent legion», your alarm bells should be going off. C2 stands for Command-and-Control-Infrastructure – a collection of tools an infected device uses to communicate with the platform from which the attack was launched. If the malware on your computer needs additional software, it will download it this way.

Where can I get the game minus the nasty surprise?

As mentioned earlier, the latest version of the game’s already three years old and hasn’t been worked on since then. A manipulated variant of this exact version was found on the net. Sure, shady forums and social media groups aren’t your most reliable sources. That’s why I want to present you with a safe source. To find one, I set up a virtual machine, install Windows 11 and get Super Mario 3: Mario Forever. I download it from the website of the distributor Softendo.

I start the setup and Windows asks me if I really want to install an app from an unknown publisher. Indeed, neither Softendo nor Buziol Games are showing up. But this does happen occasionally with older software. Still, this doesn’t exactly inspire confidence.

The setup ends and generates a shortcut on my desktop. I wasn’t asked. I double-click and a window opens. There’s a Play Game button, but also one that strongly recommends downloading others. I want to play and select a gaming style (OLD TV NES). The game doesn’t start. Instead, another start screen appears. There’s a Start Game button, and yet another recommendation for a different Mario fan game. I start the game. The level begins.

The game’s sluggish and buggy. It reminds me of my first attempts at Java when I was still an apprentice. My commands are either not executed or delayed. This could be down to my lacking talent. But even after three tries, I fail to complete the level.

The fan on my 2021 laptop sounds like a helicopter. A look at the Task Manager reveals that the Softendo program is a real CPU hog. I close the task and the game. Then I discover a second shortcut on my desktop. One that wasn’t there after the setup was completed. Strange.

I upload the EXE file of the game to Virustotal.com. Virustotal is a free online service that scans programs on demand with dozens of virus scanners. Ta-da, a dropper’s crept in. Droppers «help» spread and install malware. So-called non-persistent droppers can even remove themselves after the malware’s been installed. Persistent droppers clone themselves and hide. Antivirus programs can also be blocked and signatures bypassed. In short, a dropper isn’t something you want on your system.

I delete the entire virtual machine.

My verdict

Unfortunately, my current conclusion is: give Mario Forever a miss. If the official distributor website even has versions that include droppers, you’re playing Russian roulette. Your changes of winning? Not great. If you have a Nintendo Switch and a Nintendo Switch Online subscription, dozens of classics are available to you for free anyway. They’re more fun and not as buggy.