Zcash logo

Barely a month and a half have passed since Zcash became available, and crooks have already started deploying malware that infects the computers of unsuspecting users and uses their resources to mine for this very profitable cryptocurrency.

Zcash launched at the end of October 2016 and was hailed as a cryptocurrency that brought the anonymity features that Bitcoin couldn't provide.

The currency became an instant hit, mainly because of government efforts around the world to unmask Bitcoin transactions and combat cryptocurrency-based money laundering operations.

Users flocked to Zcash, as they did to Monero in past years, hoping to hide their identity and funds from prying eyes.

Zcash targeted by crooks because of its mining profitability

But besides enhanced anonymity, Zcash also brought better profitability for mining operations. You see, all cryptocurrencies rely on "mining," which is a term used to describe intense computational processes run on participating computers all over the world. These computations help verify transactions and keep the cryptocurrency's database intact and safe from illegal tampering.

Users that "mine" are rewarded cryptocurrency funds at regular intervals, making mining a way to earn cryptocurrency without having to buy it using dollars, pounds, or other fiat currencies.

When Bitcoin appeared, crooks deployed malware that secretly added infected computers to botnets that mined Bitcoin for a crook's profit. The same thing happened in later years with Litecoin, Ether, and most recently with Monero.

As older currencies became less and less profitable to mine, crooks moved to newly launched cryptocurrencies. The more popular and more recent the cryptocurrency, the bigger the profits.

In the world of cryptocurrencies, there's no hotter cryptocurrency right now than Zcash. In hindsight, it was normal for crooks to update their malware to mine for Zcash.

Crooks mining for Zcash can earn $75,000/year/~1,000 computers

Alexander Gostev, one of Kaspersky Lab's malware analysts, says he uncovered one such malware.

"We found approximately 1,000 unique users who have some version of the Zcash miner installed on their computers under a different name, which suggests these computers were infected without their owners’ knowledge," Gostev says.

"An average computer can mine about 20 hashes per second; a thousand infected computers can mine about 20,000 hashes a second," Gostev adds. "At current prices, that equals about $6,200 a month, or $75,000 a year in net profits."

Even if malware that mines for cryptocurrency doesn't steal anything from infected computers, this type of threat is extremely dangerous. The reasons are that it quickly hoards over system resources, consumes high amounts of electrical power, and leads to a quick deterioration of a computer's hardware components, such as the CPU and GPU.

Usually, it's easy to spot cryptocurrency miners because they ramp up CPU usage above 90%, even when the system is idle. These miners hide their process using various names. Gostev says that this recent malware campaign hid cryptocurrency miners under processes and programs such as:

diskmngr.exe
mssys.exe
C:\system\taskmngr.exe
system.exe
nsdiag.exe
taskmngr.exe
svchost.exe
C:\Users\[username]\AppData\Roaming\MetaData\mdls\windlw\mDir_r\rhost.exe
qzwzfx.exe
C:\Users\[username]\AppData\Local\Temp\afolder\mscor.exe
C:\Program Files\Common Files\nheqminer64.exe
C:\Windows\Logs\Logsfiles64\conhost.exe
apupd.exe

Furthermore, the malware also added two new Windows registry keys:

Task Scheduler\Microsoft\Windows Defender\Mine
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Miner

Users that find any of these files, registry keys, or strange behavior from their computer, should immediately scan their systems for infections using their preferred antivirus.