loader gif

This modified Super Mario image hides ransomware payload inside

This modified Super Mario image hides ransomware payload inside
  • Malicious PowerShell commands are found at each pixel information of the Super Mario image.
  • When executed, it downloads ransomware such as GandCrab, and other malware into the system.

A malware campaign uncovered by a researcher showed a Super Mario image sheltering malicious PowerShell commands.

When these commands are executed, ransomware such as GandCrab gets downloaded into the affected system. Matthew Rowen and Tim Howes, Security researchers at Bromium came across this file when analyzing a malware sample from a spreadsheet in a spam mail.

Malicious Mario

After the spreadsheet was examined, it was found to contain the usual macro which executes cmd.exe and runs PowerShell with obfuscated arguments. However, interestingly, the researcher duo saw a part of PowerShell code downloading an image and extract data from the image’s pixels. When the image was pulled, a Super Mario image was displayed as shown below.

Image Source: Bromium

When the PowerShell code was de-obfuscated, it revealed the bitwise operations going on in the background.

“A manual re-shuffle to de-obfuscate the code and you can see more clearly the bitwise operation on the blue and green pixels. Since only the lower 4 bits of blue and green have been used, this won’t make a big difference to the image when looked at by a human, but it is quite trivial to hide some code within,” read the researchers’ blog.

Upon manipulating the code further, the researchers found an even more heavily obfuscated PowerShell. The code was actually a very large base64 encoded string divided into forty parts.

Reassembling this code yields a final version of obfuscated PowerShell code which when executed begins downloading malware. Furthermore, this image-based spam appeared to be dependent on the region the computer systems were from.

loader gif