A new, modular point-of-sale (POS) malware named ModPipe specifically targets Oracle’s MICROS RES (Restaurant Enterprise Series) 3700 POS, which Oracle describes as “the most widely installed restaurant management software in the industry today.” The malware could target hundreds of thousands of hotels, restaurants and bars worldwide.

What Is It?

Discovered by Eset researchers, the malware shows evidence of in-depth knowledge by the attackers into the POS software they are targeting.  The attack vector used to compromise the POS systems is currently unknown.

According to researchers ModPipe utilizes modules to steal passwords for the system’s databases which could lead to extraction of sensitive data. The first module, an initial dropper component contains both 32-bit and 64-bit versions of the next module, the loader. The loader is persistent, meaning it survives reboots of the infected system. It then unpacks and loads the main ModPipe module.

An additional standalone module enables network communication with ModPipe’s C2 (command and control) server to pass commands to the main module. Data is passed between the modules using a shared-memory method known as “pipes.” The combination of modules and pipes gives ModPipe its name. ModPipe is also extensible via downloadable modules, a technique used by various malware variants, particularly remote access trojans (RATs).

Eset researchers first discovered the downloadable module in late 2019 and later identified three modules by April 2020: ProcList, ModScan and GetMicInfo. ProcList extracts information about currently executing processes on the infected system. ModScan 2.20 scans specified IP addresses and extracts information regarding the MICROS RES 3700 POS installation. GetMicInfo gathers and decrypts the POS software’s database passwords. Rather than use keylogging to obtain passwords, ModPipe’s authors created custom code, which may have required them to reverse engineer the POS software’s password encryption component. Or, they may have obtained this knowledge as the result of a 2016 data breach that impacted Oracle’s MICROS RES division. Access to the database’s passwords opens up point of sale transactions, including cardholder names. Card and expiry data are located in the same database but in a different table, secured by an additional method of encryption. Because of this, Eset researchers believe that there may be an additional decryption module used to access that data.

How Does It Propagate?

Researchers have not yet determined the attack vector that results in the compromise of the POS systems. The malware does not contain the necessary code to self-propagate.

When/How Did BluVector Detect It?

Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 60 months prior to their release.