Isn’t it convenient when your pick-and-place machine arrives with a fully-set-up computer inside of it? Plug in a keyboard, mouse and a monitor, and you have a production line ready to go. Turns out, you can have the manufacturer partake in your convenience by sharing your private information with them – as long as you plug in an Ethernet cable! [Richard] from [RM Cybernetics] has purchased a ZhengBang ZB3245TSS machine, and in the process of setting it up, dutifully backed up its software onto a USB stick – as we all ought to.
This bit of extra care, often missed by fellow hackers, triggered an antivirus scanner alert, and subsequently netted some interesting results on VirusTotal – with 53/69 result for a particular file. That wasn’t conclusive enough – they’ve sent the suspicious file for an analysis, and the test came back positive. After static and dynamic analysis done by a third party, the malware was confirmed to collect any files and metadata accessible to the machine and send them all to a server, presumably, under the manufacturer’s control. Having contacted ZhengBang about this mishap, they received a letter with assurances that the files were harmless, and a .zip attachment with replacement “clean” files which didn’t fail the antivirus checks.
It didn’t end here! After installing the “clean” files, they also ran a few anti-malware tools, and all seemed fine. Then, they plugged the flash drive into another computer again… to encounter even more alerts than before. The machine was equipped with some sort of mechanism to infect every .exe touching it with the same aforementioned malware, and the “clean” files were nothing more than a distraction – the infection got added to all .exe files on sight, even .exe‘s of the anti-malware tools they put on that USB drive. By this point, ZhengBang’s intentions are pretty clear – getting data from as many of your devices as possible. To add to that, all of these discoveries don’t count as violations of Aliexpress Terms and Conditions – so if you’d like to distribute a bunch of IoT malware on, say, wireless routers you bought in bulk, now you know of a platform that will help you!
This goes in our bin of Pretty Bad News for makers and small companies. If you happen to have a ZhengBang pick-and-place machine with a built-in computer, we recommend that you familiarize yourself with the article and do an investigation. The article also goes into details on how to reinstall Windows while keeping all the drivers and software libraries working, but we highly recommend you worry about the impact of this machine’s infection spread mechanisms, first.
Supply chain attacks, eh? We’ve seen plenty of these lately, what’s with communities and software repositories being targeted every now and then. Malware embedded into devices from the factory isn’t a stranger to us, either – at least, this time we have way more information than we did when Supermicro was under fire.
- About
- All
- analysis
- antivirus
- article
- Attacks
- being
- Bit
- Bunch
- care
- Checks
- Communities
- Companies
- data
- Devices
- DID
- dynamic
- encounter
- equipped
- factory
- fine
- First
- Flash
- getting
- hackers
- having
- help
- How
- How To
- HTTPS
- Impact
- infection
- information
- investigation
- iot
- IT
- keeping
- Line
- Long
- malware
- Manufacturer
- more
- news
- platform
- Plenty
- Plugged
- pretty
- private
- process
- Production
- Results
- setting
- small
- So
- Software
- spread
- test
- time
- tools
- us
- usb
- windows
- wireless
- working
