Rewterz Threat Alert -Malware Campaign Hides Ransomware in Super Mario Wrapper

Monday, February 11, 2019




Cyber Crime

Analysis Summary

Experts have discovered an apparently benign Mario graphic package that uses steganography to conceal the malicious code for GrandCrab ransomware. The campaign is being run in Italy at the moment but experts believe that it’s soon going to spread to other countries as well. Initially, targets receive an excel sheet via email that won’t open online and requires the user to enable edit and enable content. Once the content is enabled, its macros will be triggered that check if the computer is configured to use the Italy region. If not, it will exit the spreadsheet and nothing else happens. Otherwise, a Mario image is downloaded as shown below:

The image hides malicious code using steganography, in conjunction with heavily obfuscated Microsoft PowerShell commands that attackers have hidden within the color channels of blue and green pixels. This technique makes the threat hard to be detected by firewall and other defense systems. Experts were able to download the samples from the address in the de-obfuscated Powershell, including from an Italy-based VPN, and discovered several samples of the Gandcrab ransomware.

When the malware detonates, the usual macro-based launch of cmd.exe and PowerShell with obfuscated arguments is seen.

The decoded image looks like this:

Another large string (base64 encoded) is then observed which is sliced/diced into 40 parts. This can be reassembled:

As researchers further analyzed the codes, multiple layers of still more mildly obfuscated PowerShell were found.

On successful infection by the GrandCrab ransomware, files on the targeted machine are encrypted and the following ransom note is found on the device.


Ransomware infection

Files encryption

Indicators of Compromise




Malware Hash (MD5/SHA1/SH256)

3849381059d9e8bbcc59c253d2cbe1c92f7e1f1992b752d396e349892f2bb0e7 2726cd6796774521d03a5f949e10707424800882955686c886d944d2b2a61e0 0c8c27f06a0acb976b8f12ff6749497d4ce1f7a98c2a161b0a9eb956e6955362 ec2a7e8da04bc4e60652d6f7cc2d41ec68ff900d39fc244cc3b5a29c42acb7a4 630b6f15c770716268c539c5558152168004657beee740e73ee9966d6de1753f


Block the threat indicators at their respective controls.

Strictly avoid downloading and opening document files received via unexpected emails.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 2, May 2019 Rewterz Threat Advisory – CVE-2019-2725 – WebLogic Server Vulnerability
  • 11, April 2019 Rewterz threat Advisory – Microsoft Internet Explorer Multiple Vulnerabilities
  • 11, April 2019 Rewterz Threat Advisory – Microsoft SharePoint Multiple Products Multiple Script Insertion Vulnerabilities
  • 11, April 2019 Rewterz Threat Advisory – Microsoft Exchange Server OWA Multiple Spoofing Vulnerabilities

Copyright © Rewterz. All rights reserved.