13 November 2020

ModPipe backdoor opens access to POS systems widely used in hospitality industry


ModPipe backdoor opens access to POS systems widely used in hospitality industry

Restaurants, bars and hotels, many of which are already suffering losses from the current COVID-19 pandemic, are facing a new threat, this time from cybercriminals.

Researchers from the Slovak cybersecurity firm ESET have warned of a never-before-seen backdoor speсifically designed to target restaurant point-of-sale (POS) solutions from Oracle, namely the Oracle MICROS Restaurant Enterprise Series (RES) 3700 POS – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments across the globe. Dubbed ModPipe, the new backdoor is notable for its unusual sophistication and features.

For one thing, it contains several downloadable modules, one of which, called GetMicInfo, is capable of collecting RES 3700 POS database passwords by decrypting them from Windows registry values.

“This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet “louder” approach, such as keylogging. Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions,” ESET notes.

“However, based on the documentation of RES 3700 POS, the attackers should not be able to access some of the most sensitive information – such as credit card numbers and expiration dates – which is protected by encryption. The only customer data stored in the clear and thus available to the attackers should be cardholder names,” the report continues.

The ModPipe backdoor has modular architecture, which includes:

  • Initial dropper – contains both 32-bit and 64-bit binaries of the next stage – the persistent loader – and installs the appropriate version to the compromised machine.

  • Persistent loader – unpacks and loads the next stage of the malware, namely the main module.

  • Main module – performs the main functionality of the malware. It creates a pipe used for communication with other malicious modules, un/installs these modules and serves as a dispatcher that handles communication between the modules and attacker’s C&C server.

  • Networking module – module used for communication with C&C.

  • Downloadable modules – components adding specific functionality to the backdoor, such as the ability to steal database passwords and configuration information, scan specific IP addresses or acquire a list of the running processes and their loaded modules.

Besides GetMicInfo, the malware contains several other downloadable modules such as ModScan 2.20 (collects additional information about the installed MICROS POS environment), and ProcList, a lightweight module designed to gather information about currently running processes, including name, process identifier (PID), parent process PID, number of threads, token owner, token domain, process creation time, and command line.

“ModPipe shows quite a few interesting features,” researchers said. “ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software. The proficiency of the operators could stem from multiple scenarios, including stealing and reverse-engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.”

Back to the list

Latest Posts

Belden reveals data breach affecting current and former employees, business partners

Belden reveals data breach affecting current and former employees, business partners

The stolen information may have included names, birthdates, government-issued identification numbers, and bank account information.
26 November 2020
Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020