ESET researchers discovered a new modular backdoor, dubbed ModPipe, that was designed to target PoS systems running ORACLE MICROS Restaurant Enterprise Series (RES) 3700, which is a management suite widely used in restaurant and hospitality sectors.
The backdoor outstands for its modular structure that allows implementing advanced capabilities. ESET has been aware of the existence of modules since the end of 2019 when its experts first spotted the “basic” components of the malware. One of the modules analyzed by the experts, named GetMicInfo, implements an algorithm that allows operators to gather database passwords by decrypting them from Windows registry values.
“What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.” reads the analysis published by ESET. “This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet “louder” approach, such as keylogging.”
The credentials exfiltrated by ModPipe allow operators to access database contents, including various definitions and configuration, status tables, and information about POS transactions.
Although financial data, such as credit card numbers and expiration dates, are protected by encryption implemented in RES 3700 POS systems, threat actors could use another downloadable module to decrypt the contents of the database.
“According to the documentation, to achieve this the attackers would have to reverse engineer the generation process of the “site-specific passphrase”, which is used to derive the encryption key for sensitive data. This process would then have to be implemented into the module and – due to use of the Windows Data Protection API (DPAPI) – executed directly on the victim’s machine.” continues the analysis.
The modular architecture of ModPipe consists of the basic components and downloadable modules:
Other modules detailed by ESET are “ModScan 2.20,” that is used to collect additional information about the installed POS system (e.g., version, database server data), and “Proclist” that gathers details about currently running processes.
“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software,” the researchers concludes. “The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.”
The report published by ESET also includes Indicators of Compromise (IoCs).
(SecurityAffairs – hacking, PoS malware)