It's a Me, Ransomware! Super Mario Image Hides Malicious Code

Cybersecurity researchers have found new malware -- hidden in an innocent picture of Nintendo's lovable plumber Mario.

Credit: Nintendo

(Image credit: Nintendo)

According to researchers at cybersecurity firm Bromium, the code targets only users in Italy.

Here's how it works. Targeted users receive an email pretending to be a payment notice, according to Bleeping Computer. Attached to the email is a spreadsheet containing the malicious command. When users open it, they are prompted to "enable edit" and "enable content," allowing the malware to modify the spreadsheet.

Credit: Bromium

(Image credit: Bromium)

If the program confirms that you're in Italy or use Italian as the primary language in Microsoft Office, it downloads an image of Mario and extracts, from some of the pixels, a PowerShell command (code that executes automated tasks within Windows) that downloads "various samples of GandCrab ransomware," according to the researchers.

GandCrab is a Trojan horse that encrypts files on an infected device and requires the victim to pay a ransom before decrypting them.

MORE: What to Do If You're Infected by Ransomware

It's not clear yet who is behind these attacks. As Bromium notes, "the fictional Wario may be as likely to be responsible as any geopolitical actor."

Attacks of this nature (known as steganography), wherein data are hidden within images or other media files, are becoming more common precisely because they're difficult for security programs to detect.

This underscores the importance of caution around unexpected emails, even when you have a firewall. Never open attachments from sources you don't trust -- and certainly don't give anything mysterious the ability to modify your files.