Is your slow computer earning Zcash for cybercriminals?

zcash for cybercriminals
4.9 (97.78%) 9 votes

Does your CPU usage go up even when you are doing practically nothing or running a light application? Chances are that there is malware present on your computer.

The good news is that this may be a relatively harmless malware that does not harm the files present on your machine. The bad news is that it keeps your computer busy mining cryptocurrency and some cyber-criminal is getting rich in the process whereas you end up paying the increased power bills, the cost of wear and repair and reduced performance of your computer connected to the internet and of course your ISP bills you pay for internet bandwidth usage.

This could be due to a malware exploiting your computer and its resources and the whole experience not just burns a hole in your pocket but also creates a less than satisfactory computer and internet usage experience for you as the user.

Cryptocurrency mining on the PC in current times should one really bother?

With the increasing difficulty of cryptocurrency mining there has been an ever increasing complexity in the cryptocurrency mining business and it involves high end and very expensive mining equipment. However with the advent of Zcash (ZEC) cryptocurrency all that is changing and Zcash mining makes the business of cryptocurrency mining look profitable especially if you are using other people’s computers, electricity and internet. The views of  Kaspersky LAb’s Alexander Gostev highlights the point that after the release of the Zcash (Zec) cryptocurrency there was a lot of excitement and keen interest in this currency as it offered anonymity unlike the Bitcoin.

malware

As a result its price shot up to as much as $30000 for 1 ZEC. However the price crashed significantly thereafter. Despite the ZEC price witnessing a significant drop it still remains profitable to mine ZEC as compared to other cryptocurrencies.

As per Kaspersky Lab, in the Month of November 2016 they witnessed cases where Zcash mining software was installed on to the user machines without the owner’s consent.

The mining software does not raise the red flag by the anti-malware software. The anti-malware softwares does not mark it as a PUP that is potentially unwanted programs. Even Kaspersky Lab products detect them as not a virus: RiskTool.Win64.BitCoinMiner. As per Kaspersky Lab there have not been instances of mass mailing or exploiting vulnerabilities in websites being exploited to distribute mining software.

So how are computers being infected? Those exploiting this technique have so far being hiding the mining software under legitimate software’s and making them available via torrents.

Gostev explains the MI (Modus operandi) of the cybercriminals.  nheqminer is the mining software of choice that lets the user get paid in Bitcoin or Zcash. The Tell-A-Tale signs that a computer is infested. Here are a few symptoms of a miner malware infested machine.

  1. I) Mining is a power guzzling operation thus the user would notice the power usage and thus the power bill going up
  2. II) Mining is a RAM intensive process. When Zcash miner takes up the majority of the RAM other programs and the computer slows down.
  3. III) Malware be hidden on a user computer under different file names. The malware can be found under the following names and locations:
  • diskmngr.exe
  • mssys.exe
  • C:\system\taskmngr.exe
  • system.exe
  • nsdiag.exe
  • taskmngr.exe
  • svchost.exe
  • C:\Users\[username]\AppData\Roaming\MetaData\mdls\windlw\mDir_r\rhost.exe
  • qzwzfx.exe
  • C:\Users\[username]\AppData\Local\Temp\afolder\mscor.exe
  • C:\Program Files\Common Files\nheqminer64.exe
  • C:\Windows\Logs\Logsfiles64\conhost.exe
  • apupd.exe

IV) Readers may notice that many miners’ names are identical to those of legitimate applications however the installation location is different. A typical example is the Windows Task Manager app (taskmgr.exe)

The legit program should be located in the system folder C:\Windows\System32 But the malware version is present at C:\system

mining

V) The installation of the mining malware can be detected by observing Modifications that ensure that the miner starts every time the system is started. The following addition are made to the task scheduler or to the registry auto-run Keys. Such records can show up as

Task Scheduler\Microsoft\Windows Defender\Mine

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Miner

http://execsuccessnow [.]com/wp-includes/m/nheqminer.exe

https://a.pomf [.]Cat/qzwzfx.exe

V) Look for these extra DLL files

Running of the Zcash miner requires a couple of DLL files. The following DLL files are required to run the miner Their presence can help detect the presence of the miner

On a machine.

  • cpu_tromp_AVX.dll
  • cpu_tromp_SSE2.dll
  • cudart64_80.dll
  • cuda_tromp.dll
  • logsetuplib.dll
  • msvcp120.dll
  • msvcr120.dll

So how do the Cybercriminals make money with this mining process?

The cybercriminals start making money when the miner is started and the cybercriminals Zcash address is entered as the recipient address. Kaspersky Lab detected about 1000 unique users who have some version of the Zcash miner installed on to their machine. It is noteworthy that the Zcash miners are installed on their computers under different names. This suggests that these installations were infected without the owner’s knowledge or consent.

Cybercriminals Profitability calculation. Average computer can mine about 20 hashes/s

Therefore a 1000 infection would translate into 20X1000 that is 20000 hashes a second.

In Zcash value terms this translates to $6200 a month or a $75000 profit a year as the cost of the hardware, electricity and the internet charges are being borne by. Unsuspecting computer user.

How can a user protect his computer against this mining malware?

To prevent the installation of mining programs, Kaspersky Lab recommends that its users should check their security products and make sure detection of unwanted Software is enabled.

check their security products

In case the user does not have the Kaspersky Lab product a user can manually check for anomalies and additional files mentioned in the above 5 (I-V) steps and get rid of them.

1 Comment on "Is your slow computer earning Zcash for cybercriminals?"

Leave a comment

Your email address will not be published.


*