The Super Mario Bros. Pirate

Featured On

EntrepreneurForbesBuisiness InsiderAxios

Malicious actors are leveraging the current number 1 box office movie, Super Mario Bros., to distribute malware. ReasonLabs researchers discovered multiple files downloaded to its users’ devices which were supposed to be Super Mario Bros. but were instead files distributing malicious software.

The malicious software, a Trojan virus, installs a web extension that hijacks the user’s search function in order for the cyber attacker to receive monetary gain or steal sensitive information. The cyber attacker distributing this Trojan virus has leveraged trending movies and software in the past, which we recently detailed in our film piracy report, in order to reach a wide base of users.

While the Trojan is one of the most widespread malicious extensions distributed today, this is the first time it has been discovered leveraging Super Mario Bros. We’ve been tracking the distributed files for quite some time and first identified them leveraging the movie on April 30th, right after millions viewed the film on Twitter.

File Names

  • c:\users\user\downloads\the super mario bros moviehd.exe
  • c:\users\user\downloads\the super mario bros moviecam.exe

How The Trojan Affects Users

Browser hijacking changes the settings of a user’s web browser without their consent. They usually change a user’s homepage or their default search engine. They also might install unwanted applications or add-ons. The objective of a browser hijacker is often to redirect a user’s searches to a different engine or to display unwanted ads, which in turn can generate a profit for the cyber attacker.

The malicious extension is hijacking the users’ web search functions by giving itself numerous sensitive browser permissions. Because it’s a local extension, it can’t be removed from the Google Chrome Web store. Moreover, it’s not supervised or inspected by the Google Chrome Web store team and therefore is not bound by security restrictions.

The Trojan replaces the primary browser DLLs to control the default search bar and injects its own DLL by writing to the AppInit registry key. We can also infer that because of the wide effort put into the distribution of the Trojan and the evasion techniques used by the attacker, the extension may execute further actions after an update or a period of time.

Millions Affected Globally

ReasonLabs researchers have discovered this Trojan virus more than 150,000 times in the wild. Outside of ReasonLabs users, there are seemingly millions of affected users around the world. The RAV Endpoint Support team has come across users requesting help on how to remove the re-occurring malicious extension on various online forums such as Microsoft Answers, Bleeping Computer, Reddit, and Google support.

Trojan Technical Deep Dive

A detailed technical breakdown of how the Trojan functions can be found in the recently published ReasonLabs film piracy report under the ‘Search Hijacker Extension’ section.

How Users Can Protect Themselves

There are many available tools that home users can leverage to protect themselves online. These not only include physical and digital products but also, arguably most importantly, include education.

The need for cyber education by security companies and antivirus providers is essential to reducing vulnerabilities and the success rate of attacks. With RAV Endpoint protection, a DNS filter, VPN, and EDR, individuals can get the same level of protection as the world’s largest organizations.