Zhengbang Pick & Places Your Confidential Data In The Bag, Slowly

A Zhengbang Pick&Place machine, with a Virustotal 53/69 result and "53 security vendors and 1 sandbox flagged this file as mailcious" crudely overlaid on top of the image

Isn’t it convenient when your pick-and-place machine arrives with a fully-set-up computer inside of it? Plug in a keyboard, mouse and a monitor, and you have a production line ready to go. Turns out, you can have third parties partake in your convenience by sharing your private information with them – as long as you plug in an Ethernet cable! [Richard] from [RM Cybernetics] has purchased a ZhengBang ZB3245TSS machine, and in the process of setting it up, dutifully backed up its software onto a USB stick – as we all ought to.

This bit of extra care, often missed by fellow hackers, triggered an antivirus scanner alert, and subsequently netted some interesting results on VirusTotal – with 53/69 result for a particular file. That wasn’t conclusive enough – they’ve sent the suspicious file for an analysis, and the test came back positive. After static and dynamic analysis done by a third party, the malware was confirmed to collect metadata accessible to the machine and send it all to a third-party server. Having contacted ZhengBang about this mishap, they received a letter with assurances that the files were harmless, and a .zip attachment with replacement “clean” files which didn’t fail the antivirus checks.

It didn’t end here! After installing the “clean” files, they also ran a few anti-malware tools, and all seemed fine. Then, they plugged the flash drive into another computer again… to encounter even more alerts than before. The malware was equipped with a mechanism to grace every accessible .exe with a copy of itself on sight, infecting even .exe‘s of the anti-malware tools they put on that USB drive. The article implies that the malware could’ve been placed on the machines to collect your company’s proprietary design information – we haven’t found a whole lot of data to support that assertion, however; as much as it is a plausible intention, it could have been a case of an unrelated virus spread in the factory. Surprisingly, all of these discoveries don’t count as violations of Aliexpress Terms and Conditions – so if you’d like to distribute a bunch of IoT malware on, say, wireless routers you bought in bulk, now you know of a platform that will help you!

This goes in our bin of Pretty Bad News for makers and small companies. If you happen to have a ZhengBang pick-and-place machine with a built-in computer, we recommend that you familiarize yourself with the article and do an investigation. The article also goes into details on how to reinstall Windows while keeping all the drivers and software libraries working, but we highly recommend you worry about the impact of this machine’s infection spread mechanisms, first.

Supply chain attacks, eh? We’ve seen plenty of these lately, what’s with communities and software repositories being targeted every now and then. Malware embedded into devices from the factory isn’t a stranger to us, either – at least, this time we have way more information than we did when Supermicro was under fire.

Editor’s Note: As pointed out by our commenters, there’s currently not enough evidence to assert that Zhengbang’s intentions were malicious. The article has been edited to reflect the situation more accurately, and will be updated if more information becomes available.

Editor’s Note Again: A rep from Zhengbang showed up in the comments and claims that this was indeed a virus that they picked up and unintentionally passed on to the end clients.

29 thoughts on “Zhengbang Pick & Places Your Confidential Data In The Bag, Slowly

    1. If you treat the machine as a bunch of mechanics to hang OpenPNP or similar on it’s probably reasonable value even if you nuke a part of the control electronics and replace it with something less virusy.

    1. Nothing burger. One would have thought that the popularity of cellphone cameras that someone working for the target companies could have leaked the “spy chip” if it were real. Too many speculation and no actual samples. It reeks of stock manipulation.

      Moral of the story: Do not trust a financial website for tech news. Might as well read 4chan.

    2. The hardware embedded signal filters theory turned out to be mostly an urban legend.

      Kind of a shame they caught so much shade, as their bios supported hot swapping regular SATA drives out of the box (I like cephfs for some JBOD designs). Sure most of the 2U options sounded like a 737 turbine at takeoff, but dollar for dollar these are a far more economical option (lower cost ECC ram options too).

      The Zhengbang Malware attack is straight up espionage though, and should be reported to your local government for a global import ban at minimum.

  1. Honestly, it sounds like Hanlons razor applies here… looks like these guys got infected with something and it spread to whatever they use to set up their PnP machines. I’m saying this because it sounds fishy when you look at it from the manufacturers side: if your purpose is to steal all your customers information, would you do that by taking a known piece of malware (which can be detected by anti-virus software, like happened here) and installing it on your device? No, you would likely build the functionality to upload designs into your software. Secondly, the report doesn’t state that the malware specifically uploads designs: they only show the malware uploading generic computer information stats. Thirdly, the URLs that the malware accesses are very clearly non-Chinese: dropbox, google, msn etc. You wouldn’t expect that from a Chinese-developed product.

    Is it possible that they took a non-Chinese company in arms to develop this malware, or grabbed a bunch of developers highly skilled in Western-style development? Sure. (Although I would expect there to be some cross-pollination there and the actual PnP program wouldn’t be written in Delphi and look like something developed with Chinese in mind for the UI first.) Is it more likely than a Chinese company getting infected wholesale with some malware? I highly doubt it.

    (Disregarding all this, the lukewarm response of them and Aliexpress still is no bueno, obviously, but I’m simply saying that the jump to ‘industrial espionage by Zhengbang’ seems a bit premature)

    1. Very good point.

      Why use some malware that’s going to trigger off AV when they could simply bake the functionality into their own software? They could even pass it off as an “unfinished” cloud save feature that was meant to be disabled.

      1. When informing the company about the malware, I was told it it false positive, and not to worry as the machine already has antivirus software installed. The chinese AV software was either useless or deliberately missing those infections as when the machine was scanned with proper tools, I found multiple types of infections in various files.

        We may never know if the maware was installed at the instructions of the company or not, but the way they responded to the fact is suspicious to me. Perhaps a single employee took a backhander to do it, who knows.

        I could quite easily have missed the additional infections after the ones on the USB. If I had not had other exe files on the usb that I knew were clean, I may not have realised what was afoot.

        Even after disinfecting the machine, I did not feel confident that there was not something else lurking so ended up replacing the SSD enirely.

        1. Hanlon’s razor again – there’s a lot of stuff comes out of China where clearly the guys making & selling it are at best only just qualified to do so, so while nailing a functioning pick & place together may be within their capabilties, Windows security may not be. Hell, often they’re just nailing together other sub-assemblies from other barely-competent sources held together with very hastily assembled sofwtware.

          It’s also possible / likely that viruses etc. like this are so rife in that environment (how many genuine and updated copies of Windows are running in China I wonder?) that this is how they are used to working.

          As the commenter above says, it would be a very clumsy way of exfiltrating a small and easily-hidden or easily explained-away amount of data.

          I don’t rule out espionage from a supplier or even government (which is no secret or news to anyone), but there’s a lot of very shaky links in that chain for products like this.

    2. Hey! Author here.

      You bring up a slew of points worth considering. Having thought about it, I absolutely agree that that this conclusion was premature. The “denial” and “lack of transparency” were the main facts that colored my judgment there, as these are behaviours that firmly toe the “plausible deniability malicious” line in my view. For instance, I have an expectation that a generic company would notify their customers of a virus like this and work to remedy the consequences. However, as much as the disclosure practice is part of Western and European tech culture, it might not be a fair expectation to place on a Chinese pick&place machine manufacturer.

      I would dispute some of the “where the malware came from, and what would be the best plausibly-deniable way to distribute it” parts of your comment, but that would detract from the point. Having talked with an editor, I’ve modified the article to have it report more on the facts, and filter out the implications that I might have made in haste or with insufficient data, and added an editor’s note section to explain the changes that have been made. If anyone’s interested – archive.is has a copy of the article as it was before editing.

      Thank you for highlighting this to us ^__^

  2. Honestly that sounds a lot more like incompetence than malice. Their manufacturing system (or MAYBE their build system) probably got infected with something and is passing it on to all their equipment. And they probably have approximately zero clue about what is going on, so they just sent a copy of their (apparently still clean) masters.

    Even if they *are* malicious, they are *also* incompetent, because it shouldn’t be hard for a manufacturer to embed spyware that won’t trigger AV at all.

    1. Hey! That’s a great point. I’ve updated the article to have it rely more on the facts presented, and made a separate comment explanation about that above. Thank you for your input ^__^

  3. I am not defending this practice in any way, but it does seem to me that a manufacturer of something this expensive (and likely profitable), would stand to lose more in terms of reputation and sales than it might gain from intentionally distributing malware .

    Let us consider the following (please feel free to correct me or expand as necessary):

    a) According to the info found on Aliexpress, the full name, there are several vendors selling the ZB3245TSS, among which HUAQIZHENGBANG Store , HUAQIZHENGBANG Official Store, China LYCNC Outlet Store, and likely others . The two first ones seem to have the same business info, as far as I can tell . Aliexpress says that info is self-declared and not guaranteed .

    b) There is a (non https) website at http://www.wzzbdz.com/en/m/ which might be that of the actual manufacturing company . The site has existed in one form or another for over ten years according to archive.org

    c) Whether any of the stores in a) and the site in b) are actually related is unclear to me at a cursory glance, but they do not seem to reference each other (the website has contact info, but does not have online purchasing options or a list of vendors/distributors, so the company possibly operates through direct sales)

    d) Malware may indeed have been factory installed, but that does not necessary imply that it was intentional on the part of the manufacturer. It may have been accidental (careless employee, insecure business processes, etc), an inside job act of sabotage by one of the company’s competitors (to discredit company, gain customer info, etc)

    e) If there is a third party (vendors in a) or another unknown/unnamed party) involved in distribution/sale it may be the one responsible for installing malware . Also, has it been confirmed the purchased is not a copy/counterfeit/midnight run ?

    All that being said, Aliexpress’ response is discouraging and the end result for the purchaser is anything but great, but, IMHO, it is possible that the purported manufacturer could be either blameless or only partially to blame (possibly being a victim itself) rather than intentionally nefarious .

    1. These are some pretty good facts and conclusions chains! I agree that assigning nefariousness should have a higher standard, and I have updated the article to reflect that – expanded more on that in a comment above. Thank you for bringing this up ^__^

  4. Bottom line: whether this is malice or incompetence or nation-state manipulation, this product – in its probably multitudinous guises, its various purported manufacturers, and its supply chain right through to delivery – are suspect. Buy something else from somewhere else or lovingly handcraft your own.

  5. Come-on…. nothing malicious here. Works as designed.
    There are plenty of no-so-legal things to buy on ali. Only difference with underground sites is that you can’t pay with cryptocurrency.

  6. Y’know maybe I should get in the habit of scanning the “driver” CDs that come with cheap hardware rather than just throwing them out. Many of them are burned mini-CD-R discs and I can only imagine what goes on ’em.

    I’ve also wondered whether different customers get different “drivers” depending on their shipping address. One way to prove it, I guess.

  7. It could be either way: The Heinlein’s Razor( Hanlon’s), or China is known for spyware as evidenced by crackdowns on their people, so pick and place equipment, even on the intermediate level could be a good place to start with trojan injection capabilities. Either way the malware was present and not detected prior, so people need to be aware that in a time of need, their stuff might be remotely interfered with. Not a bad strategy.

  8. I bought a Chinese fiber laser. Indeed the version of ezcad they sent with the mache had a malware in it, and of course they told me it’s “harmless”.
    Ezcad is crap anyways, so I’m seriously considering replacing the controller with something else entirely.

  9. I am with Zhengbang, on behalf of our company, we are sorry Richard did not get a good shopping from us.

    I checked his blog, the virus he got name is Synaptics.exe as we can saw from blog picture, we can google it, it’s very famous and bad one, . I can say though Zhengbang is number one table top PNP machine factory in China, we donot have the technical strength to develop this kind of malware. We have alibaba and aliexpress stores and some of them are our agents’.

    It’s hard to tell where got this virus maybe my colleague or suppliers unexpected and accidentally got it during production, but it’s our fault did not find out before deliver it to client. We are just a normal businees company never try to steal any information from clients.

    My colleague is still communicating with Richard after sent him new software, hope to solve this and hope his company can put our machine in use soon.

  10. Unfortunately it is true. I bought this machine 2 months ago. After i reading this article i do the same – copied software to USB stick, after that scan USB stick for viruses. And the antivirus software found two viruses.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.