Saturday, June 15, 2024

ModPipe Malware Steals Sensitive Information from Oracle POS Software used by Hundreds of Thousands of Hotels

A new Point-of-Sale (PoS) named ModPipe malware is targeting devices utilized by many thousands of organizations within the hospitality sector, researchers have warned.

ESET researchers have discovered ModPipe, a modular backdoor ready to harvest sensitive information in PoS devices running Oracle Micros Restaurant Enterprise Series (RES) 3700, a management software suite utilized by many thousands of bars, restaurants, hotels, and other hospitality establishments worldwide.

 Researchers said in a blog that the operators of ModPipe likely have a “deep knowledge” of the software because the malware contains a custom algorithm ’GetMicInfo’ designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.

Based on the documentation of RES 3700 POS, the attackers won’t be ready to access sensitive information like credit card numbers and expiration dates, which is protected by encryption. The only customer data stored and thus available to the attackers should be cardholder names.

”To achieve this the attackers would have to reverse engineer the generation process of the “site-specific passphrase,” which is used to derive the encryption key for sensitive data,” the researchers note. “This process would then have to be implemented into the module due to the use of the Windows Data Protection API (DPAPI) executed directly on the victim’s machine.”

ModPipe Architecture

ModPipe uses modular architecture consisting of basic components and downloadable modules such as:

  1.  Initial dropper – contains both 32-bit and 64-bit binaries of the subsequent stage – the persistent loader – and installs the acceptable version to the compromised machine.
  2. Persistent loader – unpacks and loads the subsequent stage of the malware, namely the main module.
  3. The main module – performs the most functionality of the malware. It creates a pipe used for communication with other malicious modules, un/installs these modules and is a dispatcher that handles communication between the modules and therefore the attacker’s C&C server.
  1. Networking module – a module used for communication with C&C.
  2. Downloadable modules – components adding specific functionality to the backdoor, like the power to steal database passwords and configuration information, scan specific IP addresses or acquire an inventory of the running processes and their loaded modules.


To keep the operators behind ModPipe at bay, potential victims within the hospitality sector, also as the other businesses using the RES 3700 POS, are advised to:

  • Use the newest version of the software.
  • Use it on devices that run an updated operating system and software.
  • Use reliable multi-layered security software that will detect ModPipe and similar threats.

Also Read

RATicate – Hackers Group Launching an Information Stealing Malware via Remote Admin Tool

FinSpy Malware Attacking iOS and Android Devices to Steal Personal Information


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles