Zcash Spurs Rash of Malicious Mining Software

cryptomining campaign

Hackers are mining Zcash cryptocurrency surreptitiously on PCs infected with cleverly named programs such as system.exe, taskmngr.exe and svchost.exe.

Cybercriminals are targeting computers with malicious mining software thanks in part to the appeal of a new cryptocurrency called Zcash that claims to cloak the sender, the recipient and value of transactions.

That type of anonymity is not afforded by Bitcoin and is sought after by crooks, said Alexander Gostev, chief security expert with Kaspersky Lab’s Global Research and Analysis Team.

Making it even more enticing to cybercriminals is that Zcash (ZEC) mining is currently among the most profitable compared to mining other cryptocurrencies, Gostev wrote in technical report on Zcash Monday. He estimates 1,000 computers can mine 20,000 hashes per second earning, earning $6,200 monthly or $75,000 yearly based on the current value of a ZEC.

Since its introduction on Oct. 28, Zcash has enjoyed support from major cryptocurrency exchanges and has been well received by investors. While Zcash has seen its value go from $30,000 for 1 ZEC to as little as $50, it remains a popular cryptocurrency for cybercriminals.

“We found approximately 1,000 unique users who have some version of the Zcash miner installed on their computers under a different name, which suggests these computers were infected without their owners’ knowledge,” wrote Gostev.

He said the mining software nheqminer is being surreptitiously installed on victims’ computers by end users downloading and installing pirated software via torrents. But researchers warn it’s only a matter of time before cybercriminals get more aggressive about distribution and attempt to infect computers via mass-mailings or vulnerabilities in websites.

“All that cybercriminals need to do to start profiting from a mining program on infected computers is to launch it and provide details of their own bitcoin or Zcash wallets,” according to researchers. “After that, the ‘coin mining’ profit created by the pool will be credited to the cybercriminals’ addresses, from where it can be withdrawn and exchanged for US dollars or other cryptocurrencies.”

Mining software is cloaked on targeted computers by the attacker giving the program names of Windows applications such as diskmngr.exe, taskmngr.exe and svchost.exe. The mining software is set to launch each time a computer starts via modifications made to the computer’s Task Scheduler or auto-run registry keys.

According to Gostev, it might not be hard for victims to spot something has gone awry on their infected computer. “A mining program typically devours up to 90% of the system’s RAM, which dramatically slows down both the operating system and other applications running on the computer.”

Suggested articles