New ModPipe malware targets hospitality, hotel point of sale systems
A new Point-of-Sale (PoS) malware is targeting devices used by “hundreds of thousands” of organizations in the hospitality sector, researchers have warned.
Dubbed ModPipe, the malware is a backdoor able to harvest sensitive information in PoS devices running Oracle Micros Restaurant Enterprise Series (RES) 3700, management software that is particularly popular in the United States.
RES 3700 is described by Oracle as the “most widely installed restaurant management software in the industry today.” The software suite is used to manage PoS, loyalty programs, reporting, inventory, promotions, and mobile payment.
On Thursday, ESET researchers said in a blog post that the operators of ModPipe likely have a “deep knowledge” of the software, as the malware contains a custom algorithm designed to harvest RES 3700 POS database passwords by decrypting them from Windows registry values.
This direct, sophisticated approach is in contrast to the standard PoS malware method, in which “noisy” keylogging and credit card skimming is often practiced.
Alternatively, it may be that the cyberattackers were able to steal the software and reverse-engineer the code following a 2016 data breach at Oracle’s PoS division.
Once executed on a PoS device, ModPipe will access database contents, including system configuration, status tables, and some PoS data concerning transactions — but it does not seem that in its basic state, the malware is able to grab credit card numbers or expiry dates.
According to the researchers, this sensitive information is protected by encryption standards implemented by RES 3700 — and so the only payment card-related data threat actors will be able to access is cardholder names.
ModPipe’s modular architecture comprises of a 32/64-bit dropper, a loader, and the main payload that creates a “pipe” used to connect with other malicious modules, as well as serve as a dispatch point for communication between the malware and a C2.
ModPipe is also able to download additional modules from an attacker’s command-and-control (C2) server to extend its malicious capabilities.
The modules found by ESET, so far, include GetMicInfo — the module containing the custom algorithm — which is also able to intercept and decrypt database passwords; ModScan 2.20, which gathers PoS information by scanning IP addresses; and ProcList, which monitors running processes.
The majority of PoS malware will hone in on guest or customer payment card data as this is the most valuable information a PoS device will process. Without a module to grab and decrypt this information, ESET says the operator’s business model remains “unclear.”
However, it should be noted that there may be such a module and it just hasn’t been found — yet.
“To achieve this the attackers would have to reverse engineer the generation process of the “site-specific passphrase,” which is used to derive the encryption key for sensitive data,” the researchers note. “This process would then have to be implemented into the module and — due to use of the Windows Data Protection API (DPAPI) — executed directly on the victim’s machine.”
It is not currently known how the malware is being distributed, but the team says that the majority of infections tracked are from the US.
ZDNet has reached out to Oracle and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0