A new kind of modular backdoor that targets point-of-sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information stored in the devices dubbed as Modpipe.
The backdoor has a specialised modules with algorithm to read database passwords by decrypting from registry values
Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.
The actor behind the attacks could be in possession of a second downloadable module to decrypt the contents of the database.
The ModPipe infrastructure consists of an initial dropper that’s used to install a persistent loader, which then unpacks and loads the next-stage payload — the main malware module that’s used to establish communications with other “downloadable” modules and the command-and-control (C2) server via a standalone networking module.
The downloadable modules include “GetMicInfo,” a component that can intercept and decrypt database passwords using a special algorithm, that could have reverse engineering technique
A second module called “ModScan 2.20” is devoted to collecting additional information about the installed POS system while another module by the name of “Proclist” gathers details about currently running processes.
“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software,” the researchers said. “The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.” advised to update the OS on 3700 running system