Research

Zcash, or the return of malicious miners

On 28 October, the cryptocurrency world saw the emergence of a new player, the Zcash (ZEC) cryptocurrency. Its developers have described it rather figuratively: “If Bitcoin is like HTTP for money, Zcash is HTTPS.” They continue by noting that “unlike Bitcoin, Zcash transactions can be shielded to hide the sender, the recipient and value of all transactions.”

The cryptocurrency market has been looking for this level of anonymity for a while now, so ZEC has attracted considerable interest from investors, miners and cybercriminals alike. Several major cryptocurrency exchanges were quick to offer support for the new currency.

Zcash got off to a flying start; within the first few hours, 1 ZEC reached $30,000. It should be pointed out, however, that there were only a few dozen coins in existence at that time, so the actual turnover was very low.

In the following days, ZEC’s value steadily declined against Bitcoin. At the time of writing, it had leveled out temporarily at 0.07 – 0.01 ZEC/BTC (around $70). Despite this dramatic drop from the initial values (which was anticipated), Zcash mining remains among the most profitable compared to other cryptocurrencies.

Zcash, or the return of malicious miners

Ranking of cryptocurrency mining profitability, as reported by the CoinWarz website

This has led to the revival of a particular type of cybercriminal activity – the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable.

In November, we recorded several incidents where Zcash mining software was installed on users’ computers without permission. Because these software programs are not malicious in themselves, most anti-malware programs do not react to them, or detect them as potentially unwanted programs (PUP). Kaspersky Lab products detect them as not-a-virus:RiskTool.Win64.BitCoinMiner.

Cybercriminals use rather conventional ways to distribute mining software – they are installed under the guise of other legitimate programs, such as pirated software distributed via torrents. So far, we have not seen any cases of mass-mailings or vulnerabilities in websites being exploited to distribute mining software; however, provided mining remains as profitable as it is now, this is only a matter of time. The software can also be installed on computers that were infected earlier and became part of a for-rent botnet.

The most popular mining software to date is nheqminer from the mining pool Micemash. It has two known variations: one earns payments in bitcoins, the other in Zcash. Both are detected by Kaspersky Lab products, with the respective verdicts not-a-virus:RiskTool.Win64.BitCoinMiner.bez and not-a-virus:RiskTool.Win64.BitCoinMiner.bfa.

Zcash, or the return of malicious miners

All that cybercriminals need to do to start profiting from a mining program on infected computers is to launch it and provide details of their own bitcoin or Zcash wallets. After that, the “coin mining” profit created by the pool will be credited to the cybercriminals’ addresses, from where it can be withdrawn and exchanged for US dollars or other cryptocurrencies. This is what allows us to ‘snoop’ on some of the wallets used by cybercriminals. Here’s just one example:

Zcash, or the return of malicious miners

Using a wallet’s address, we can find out how much money arrived and from which source (i.e. the mining pool) (https://explorer.zcha.in/accounts/t1eVeeBYfPPLgonvi1zk8e9SnrhZdoCBAeM)

Zcash, or the return of malicious miners

We see that the address was created on 31 October, just a couple of days after Zcash launched, and payments are still being made to it at the current time. You may be wondering what happened to the promised anonymity. Actually, there are two types of wallets in Zcash: completely private purses (z-address) and public wallets like that shown above (t-address). At the current time, the completely private wallets are not very popular (they are not supported by exchanges), and are only used to store around 1% of all existing Zcash coins.

We found approximately 1,000 unique users who have some version of the Zcash miner installed on their computers under a different name, which suggests these computers were infected without their owners’ knowledge. An average computer can mine about 20 hashes per second; a thousand infected computers can mine about 20,000 hashes a second. At current prices, that equals about $6,200 a month, or $75,000 a year in net profits.

Here are just a few real-life examples of the names used by these program and where they are installed on infected computers:

diskmngr.exe
mssys.exe
C:\system\taskmngr.exe
system.exe
nsdiag.exe
taskmngr.exe
svchost.exe
C:\Users\[username]\AppData\Roaming\MetaData\mdls\windlw\mDir_r\rhost.exe
qzwzfx.exe
C:\Users\[username]\AppData\Local\Temp\afolder\mscor.exe
C:\Program Files\Common Files\nheqminer64.exe
C:\Windows\Logs\Logsfiles64\conhost.exe
apupd.exe

As you can see, the names of many mining programs coincide with those of legitimate applications, but the installation location is different. For instance, the legitimate Windows Task Manager app (taskmgr.exe) should be located in the system folder C:\Windows\System32 and not in C:\system.

To ensure that the mining program is launched each time the operating system starts, the necessary records are added either to Task Scheduler or to the registry auto-run keys. Here are some examples of these records:

Task Scheduler\Microsoft\Windows Defender\Mine
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Miner

A couple of detected websites distributing mining programs:

http://execsuccessnow[.]com/wp-includes/m/nheqminer.exe
https://a.pomf[.]cat/qzwzfx.exe

Additional DLLs are required for the mining program to work. These DLLs, shown below, are installed along with the mining program.

cpu_tromp_AVX.dll
cpu_tromp_SSE2.dll
cudart64_80.dll
cuda_tromp.dll
logsetuplib.dll
msvcp120.dll
msvcr120.dll

So, what are the threats facing a user who is unaware that their computer is being used for cryptocurrency mining?

Firstly, these operations are power hungry: the computer uses up a lot more electricity, which, in some countries, could mean the user ends up with a hefty electricity bill.

Secondly, a mining program typically devours up to 90% of the system’s RAM, which dramatically slows down both the operating system and other applications running on the computer. Not exactly what you want from your computer.

To prevent the installation of mining programs, Kaspersky Lab users should check their security products and make sure detection of unwanted software is enabled.

Zcash, or the return of malicious miners

All other users are encouraged, at the very least, to check their folders and registry keys for suspicious files and records.

Zcash, or the return of malicious miners

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox