Cybersecurity researchers today disclosed a new kind of modular backdoor that targets point-of-sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information stored in the devices.
The backdoor — dubbed “ModPipe” — impacts Oracle MICROS Restaurant Enterprise Series (RES) 3700 POS systems, a widely used software suite in restaurants and hospitality establishments to efficiently handle POS, inventory, and labor management. A majority of the identified targets are primarily located in the US.
“What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values,” ESET researchers said in an analysis.
“Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.”
It’s worth noting that details such as credit card numbers and expiration dates are protected behind encryption barriers in RES 3700, thus limiting the amount of valuable information viable for further misuse, although the researchers posit that the actor behind the attacks could be in possession of a second downloadable module to decrypt the contents of the database.
The ModPipe infrastructure consists of an initial dropper that’s used to install a persistent loader, which then unpacks and loads the next-stage payload — the main malware module that’s used to establish communications with other “downloadable” modules and the command-and-control (C2) server via a standalone networking module.
Chief among the downloadable modules include “GetMicInfo,” a component that can intercept and decrypt database passwords using a special algorithm, which ESET researchers theorize could have been implemented either by reverse-engineering the cryptographic libraries or by making use of the encryption implementation specifics obtained in the aftermath of a data breach at Oracle’s MICROS POS division in 2016.
A second module called “ModScan 2.20” is devoted to collecting additional information about the installed POS system (e.g., version, database server data), while another module by the name of “Proclist” gathers details about currently running processes.
“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software,” the researchers said. “The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.”
Businesses in the hospitality sector that are using the RES 3700 POS are advised to update to the latest version of the software as well as use devices that run updated versions of the underlying operating system.