Pierluigi Paganini November 12, 2020

Cybersecurity researchers spotted a new modular PoS malware, dubbed ModPipe, that targets PoS restaurant management software from Oracle.

ESET researchers discovered a new modular backdoor, dubbed ModPipe, that was designed to target PoS systems running ORACLE MICROS Restaurant Enterprise Series (RES) 3700, which is a management suite widely used in restaurant and hospitality sectors.

The backdoor outstands for its modular structure that allows implementing advanced capabilities. ESET has been aware of the existence of modules since the end of 2019 when its experts first spotted the “basic” components of the malware. One of the modules analyzed by the experts, named GetMicInfo, implements an algorithm that allows operators to gather database passwords by decrypting them from Windows registry values. 

“What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.” reads the analysis published by ESET. “This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet “louder” approach, such as keylogging.”

The credentials exfiltrated by ModPipe allow operators to access database contents, including various definitions and configuration, status tables, and information about POS transactions.

Although financial data, such as credit card numbers and expiration dates, are protected by encryption implemented in RES 3700 POS systems, threat actors could use another downloadable module to decrypt the contents of the database.

“According to the documentation, to achieve this the attackers would have to reverse engineer the generation process of the “site-specific passphrase”, which is used to derive the encryption key for sensitive data. This process would then have to be implemented into the module and – due to use of the Windows Data Protection API (DPAPI) – executed directly on the victim’s machine.” continues the analysis.

The modular architecture of ModPipe consists of the basic components and downloadable modules:

1. initial dropper that contains binaries (both 32-bit and 64-bit) of the next stage persistent loader and installs the appropriate version to the compromised machine.
2. persistent loader unpacks and loads the next stage of the main module.
3. main module is the core component that performs the main functionality of the malware. It creates a pipe used for communication with other malicious modules, un/installs these modules and serves as a dispatcher that handles communication between the modules and attacker’s C&C server.
4. networking module is used for communication with C&C.
5. downloadable modules are those components designed to add specific functionality to the backdoor, such as the ability to steal database passwords and configuration information, scan specific IP addresses or acquire a list of the running processes and their loaded modules.

Other modules detailed by ESET are “ModScan 2.20,” that is used to collect additional information about the installed POS system (e.g., version, database server data), and “Proclist” that gathers details about currently running processes.

“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software,” the researchers concludes. “The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.”

The report published by ESET also includes Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – hacking, PoS malware)

[adrotate banner=”5″]

[adrotate banner=”13″]