Once deleted, the dropped file establishes a connection to the C&C server and sends it systems information, registers the client, and receives the configuration for the Monero miner.
Then the executable terminates the “atom.exe” process and removes its associated file from the system. Then “atom.exe” initiates the execution of a scheduled task command that creates a new scheduled task entry that runs every 15 minutes without an end date. Upon executing SupremeBot (“atom.exe”), it creates a duplicate of itself and places the copy in a hidden folder in the installation directory of the game.
This sensitive information is then transferred to a Command and Control (C&C) server via the following URL API: “hxxp://shadowlegionduckdnsorg/nam/api/endpointphp”” “Concurrently, the malware gathers valuable data from the victim’s system, including computer name, username, GPU, CPU, and other relevant details. “When “java.exe” is executed, the malware establishes a connection with a mining server “gulfmonerooceanstream” to carry out cryptocurrency mining activities.” reads the report published by Cyble. However, an XMR (Monero) miner and a SupremeBot mining client are executed in the background. Once the software is successfully installed, a user interface is launched to play the Super Mario Forever game. While executing the file, an Installation Wizard is displayed to proceed with the installation of the “super-mario-forever-v7.02” program. Upon executing the “Super-Mario-Bros.exe” file, it drops the “super-mario-forever-v702e.exe” executable in the %appdata% directory and executes it.
The threat actors tampered with the NSIS installer file “Super-Mario-Bros.exe,” the resulting executable file includes three separate executables: “super-mario-forever-v702e.exe,” which is the legitimate Super Mario game application, along with the malicious executables named “java.exe” and “atom.exe,” as shown below. Mario Forever is a clone of the original Super Mario that attempts to recreate the classic Nintendo game very faithfully.
0 kommentar(er)
