ModPipe Malware Steals Sensitive Information from Oracle POS Software used by Hundreds of Thousands of Hotels

A new Point-of-Sale (PoS) named ModPipe malware is targeting devices utilized by many thousands of organizations within the hospitality sector, researchers have warned.

ESET researchers have discovered ModPipe, a modular backdoor ready to harvest sensitive information in PoS devices running Oracle Micros Restaurant Enterprise Series (RES) 3700, a management software suite utilized by many thousands of bars, restaurants, hotels, and other hospitality establishments worldwide.

 Researchers said in a blog that the operators of ModPipe likely have a “deep knowledge” of the software because the malware contains a custom algorithm ’GetMicInfo’ designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.

Based on the documentation of RES 3700 POS, the attackers won’t be ready to access sensitive information like credit card numbers and expiration dates, which is protected by encryption. The only customer data stored and thus available to the attackers should be cardholder names.

”To achieve this the attackers would have to reverse engineer the generation process of the “site-specific passphrase,” which is used to derive the encryption key for sensitive data,” the researchers note. “This process would then have to be implemented into the module due to the use of the Windows Data Protection API (DPAPI) executed directly on the victim’s machine.”

ModPipe Architecture

ModPipe uses modular architecture consisting of basic components and downloadable modules such as:

1. Initial dropper – contains both 32-bit and 64-bit binaries of the subsequent stage – the persistent loader – and installs the acceptable version to the compromised machine.
2. Persistent loader – unpacks and loads the subsequent stage of the malware, namely the main module.
3. The main module – performs the most functionality of the malware. It creates a pipe used for communication with other malicious modules, un/installs these modules and is a dispatcher that handles communication between the modules and therefore the attacker’s C&C server.

4. Networking module – a module used for communication with C&C.
5. Downloadable modules – components adding specific functionality to the backdoor, like the power to steal database passwords and configuration information, scan specific IP addresses or acquire an inventory of the running processes and their loaded modules.

Conclusion

To keep the operators behind ModPipe at bay, potential victims within the hospitality sector, also as the other businesses using the RES 3700 POS, are advised to:

• Use the newest version of the software.
• Use it on devices that run an updated operating system and software.
• Use reliable multi-layered security software that will detect ModPipe and similar threats.

Also Read

RATicate – Hackers Group Launching an Information Stealing Malware via Remote Admin Tool

FinSpy Malware Attacking iOS and Android Devices to Steal Personal Information