Not-so-super Mario image hides code that downloads Ursnif trojan

Don't tell Luigi, but Nintendo video game hero Mario may have joined Bowser on the dark side.

A malspam sample targeting Italy was recently observed using a steganographic image of Mario (of Super Mario fame) to hide malicious code designed to infect victims with the Ursnif banking trojan.

In a Feb. 8 company blog post, Bromium researcher Matthew Rowen reports that the campaign involved spam emails containing Excel spreadsheet documents with embedded macros.

Upon execution, these macros download malicious code, but only after confirming that the victim is located in Italy. In such cases, the document delivers an obfuscated PowerShell script and downloads an image of Mario whose pixels contain additional script that ultimately enable the downloading of the final payload.

The Italy-based cyber firm Yoroi identified this payload as Ursnif, aka Gozi.

Steganography is a technique used by malware developers to conceal malicious code inside images in order for it to go undetected. "Steganographic techniques such as using the low-bits from pixel values are clearly not new, but it’s rare that we see this kind of thing in malspam," says Rowen in his blog post. "It’s also pretty hard to defend against this kind of traffic at the firewall."