Cybersecurity researchers noticed a brand new modular PoS malware, dubbed ModPipe, that targets PoS restaurant administration software program from Oracle.
ESET researchers found a brand new modular backdoor, dubbed ModPipe, that was designed to focus on PoS methods operating ORACLE MICROS Restaurant Enterprise Collection (RES) 3700, which is a administration suite extensively utilized in restaurant and hospitality sectors.
The backdoor outstands for its modular construction that enables implementing superior capabilities. ESET has been conscious of the existence of modules for the reason that finish of 2019 when its consultants first noticed the “primary” elements of the malware. One of many modules analyzed by the consultants, named GetMicInfo, implements an algorithm that enables operators to collect database passwords by decrypting them from Home windows registry values.
“What makes the backdoor distinctive are its downloadable modules and their capabilities, because it incorporates a customized algorithm designed to collect RES 3700 POS database passwords by decrypting them from Home windows registry values.” reads the evaluation printed by ESET. “This reveals that the backdoor’s authors have deep data of the focused software program and opted for this refined technique as an alternative of amassing the info by way of an easier but “louder” strategy, akin to keylogging.”
The credentials exfiltrated by ModPipe enable operators to entry database contents, together with numerous definitions and configuration, standing tables, and details about POS transactions.
Though monetary knowledge, akin to bank card numbers and expiration dates, are protected by encryption carried out in RES 3700 POS methods, risk actors might use one other downloadable module to decrypt the contents of the database.
“In line with the documentation, to attain this the attackers must reverse engineer the era technique of the “site-specific passphrase”, which is used to derive the encryption key for delicate knowledge. This course of would then need to be carried out into the module and – due to make use of of the Home windows Knowledge Safety API (DPAPI) – executed straight on the sufferer’s machine.” continues the evaluation.
The modular structure of ModPipe consists of the fundamental elements and downloadable modules:
- preliminary dropper that incorporates binaries (each 32-bit and 64-bit) of the following stage persistent loader and installs the suitable model to the compromised machine.
- persistent loader unpacks and masses the following stage of the primary module.
- primary module is the core element that performs the primary performance of the malware. It creates a pipe used for communication with different malicious modules, un/installs these modules and serves as a dispatcher that handles communication between the modules and attacker’s C&C server.
- networking module is used for communication with C&C.
- downloadable modules are these elements designed so as to add particular performance to the backdoor, akin to the flexibility to steal database passwords and configuration data, scan particular IP addresses or purchase an inventory of the operating processes and their loaded modules.
Different modules detailed by ESET are “ModScan 2.20,” that’s used to gather further details about the put in POS system (e.g., model, database server knowledge), and “Proclist” that gathers particulars about at the moment operating processes.
“ModPipe’s structure, modules and their capabilities additionally point out that its writers have intensive data of the focused RES 3700 POS software program,” the researchers concludes. “The proficiency of the operators might stem from a number of situations, together with stealing and reverse engineering the proprietary software program product, misusing its leaked components or shopping for code from an underground market.”
The report printed by ESET additionally contains Indicators of Compromise (IoCs).
(SecurityAffairs – hacking, PoS malware)