Friday, March 29, 2024

ModPipe Malware Steals Sensitive Information from Oracle POS Software used by Hundreds of Thousands of Hotels

A new Point-of-Sale (PoS) named ModPipe malware is targeting devices utilized by many thousands of organizations within the hospitality sector, researchers have warned.

ESET researchers have discovered ModPipe, a modular backdoor ready to harvest sensitive information in PoS devices running Oracle Micros Restaurant Enterprise Series (RES) 3700, a management software suite utilized by many thousands of bars, restaurants, hotels, and other hospitality establishments worldwide.

 Researchers said in a blog that the operators of ModPipe likely have a “deep knowledge” of the software because the malware contains a custom algorithm ’GetMicInfo’ designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.

Based on the documentation of RES 3700 POS, the attackers won’t be ready to access sensitive information like credit card numbers and expiration dates, which is protected by encryption. The only customer data stored and thus available to the attackers should be cardholder names.

”To achieve this the attackers would have to reverse engineer the generation process of the “site-specific passphrase,” which is used to derive the encryption key for sensitive data,” the researchers note. “This process would then have to be implemented into the module due to the use of the Windows Data Protection API (DPAPI) executed directly on the victim’s machine.”

ModPipe Architecture

ModPipe uses modular architecture consisting of basic components and downloadable modules such as:

  1.  Initial dropper – contains both 32-bit and 64-bit binaries of the subsequent stage – the persistent loader – and installs the acceptable version to the compromised machine.
  2. Persistent loader – unpacks and loads the subsequent stage of the malware, namely the main module.
  3. The main module – performs the most functionality of the malware. It creates a pipe used for communication with other malicious modules, un/installs these modules and is a dispatcher that handles communication between the modules and therefore the attacker’s C&C server.
  1. Networking module – a module used for communication with C&C.
  2. Downloadable modules – components adding specific functionality to the backdoor, like the power to steal database passwords and configuration information, scan specific IP addresses or acquire an inventory of the running processes and their loaded modules.

Conclusion

To keep the operators behind ModPipe at bay, potential victims within the hospitality sector, also as the other businesses using the RES 3700 POS, are advised to:

  • Use the newest version of the software.
  • Use it on devices that run an updated operating system and software.
  • Use reliable multi-layered security software that will detect ModPipe and similar threats.

Also Read

RATicate – Hackers Group Launching an Information Stealing Malware via Remote Admin Tool

FinSpy Malware Attacking iOS and Android Devices to Steal Personal Information

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles