Researchers security they discovered a new one Point-of-Sale (PoS) malware targeting Appliances used by "hundreds of thousands" organizations at industry of hospitality services (hotels etc). The new malware was named ModPipe and it is one backdoor that can collect sensitive information from PoS devices running the Oracle Micros Restaurant Enterprise Series (RES) 3700. It is a management software that is very popular in the United States.
According to Oracle, the RES 3700 is "the most popular restaurant management software in the industry today". The software suite manages PoS, reward programs for the most "loyal customers", reports, stocks, ads / promotions and mobile payments.
Security researchers ESET stated that ModPipe malware operators are probably familiar with this software as well malware contains one custom algorithm designed for code collection access databases RES 3700 POS.
Alternatively, the attackers may stole the software and did reverse-engineering after a violation data, which took place in 2016 at Oracle PoS.
ESET researchers say ModPipe has just been launched malware on a PoS device, acquires access to the contents of the database (system configuration, status tables and some PoS data related to transactions). However, malware (in its basic form) probably can not steal credit card numbers (nor see their expiration date).
This sensitive information is protected by encryption standards applied by RES 3700. Therefore, the only card data affected are the holders' names.
The ModPipe malware consists of one 32/64-bit dropper, one loader and the main payload which creates a "pipe" used to connect to other malicious modules, while also allowing communication between malware and a C2.
ModPipe can also download additional malicious modules from the command-and-control (C2) server of the attacker.
ESET has discovered some of these modules:
- GetMicInfo: contains the custom algorithm and monitors and decrypts database passwords.
- ModScan 2.20: collects PoS information by scanning IP addresses.
- ProcList: monitors current processes
Most PoS malware attempts to gain access to data of guest or customer payment cards, as this is the most valuable information that a PoS device will process. Therefore, there must be a module to decrypt this data. ESET says such a module may exist but has not yet been found.
Researchers have not yet figured out how malware is distributed. However, most infections have been detected on USA.