Not-so-super Mario image hides code that downloads Ursnif trojan

News by Bradley Barth

Don't tell Luigi, but Nintendo video game hero Mario may have joined Bowser on the dark side.

Don’t tell Luigi, but Nintendo video game hero Mario may have joined Bowser on the dark side.

A malspam sample targeting Italy was recently observed using a steganographic image of Mario (of Super Mario fame) to hide malicious code designed to infect victims with the Ursnif banking trojan.

In an 8 February company blog postBromium researcher Matthew Rowen reports that the campaign involved spam emails containing Excel spreadsheet documents with embedded macros.

Upon execution, these macros download malicious code, but only after confirming that the victim is located in Italy. In such cases, the document delivers an obfuscated PowerShell script and downloads an image of Mario whose pixels contain additional script that ultimately enable the downloading of the final payload.

The Italy-based cyber-firm Yoroi identified this payload as Ursnif, aka Gozi.

Steganography is a technique used by malware developers to conceal malicious code inside images in order for it to go undetected. "Steganographic techniques such as using the low-bits from pixel values are clearly not new, but it’s rare that we see this kind of thing in malspam," says Rowen in his blog post. "It’s also pretty hard to defend against this kind of traffic at the firewall."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop