Modpipe threatens POS

A new kind of modular backdoor that targets point-of-sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information stored in the devices dubbed as Modpipe.

The backdoor has a specialised modules with algorithm to read database passwords by decrypting from registry values

Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.

The actor behind the attacks could be in possession of a second downloadable module to decrypt the contents of the database.

New ModPipe Point of Sale (POS) Malware Targeting Restaurants, Hotels

The ModPipe infrastructure consists of an initial dropper that’s used to install a persistent loader, which then unpacks and loads the next-stage payload — the main malware module that’s used to establish communications with other “downloadable” modules and the command-and-control (C2) server via a standalone networking module.

The downloadable modules include “GetMicInfo,” a component that can intercept and decrypt database passwords using a special algorithm, that could have reverse engineering technique

A second module called “ModScan 2.20” is devoted to collecting additional information about the installed POS system while another module by the name of “Proclist” gathers details about currently running processes.

“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software,” the researchers said. “The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.” advised to update the OS on 3700 running system

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s