ESET analysis: Backdoor ModPipe infiltrates targeted Oracle POS system. Malicious program attacks popular POS system for restaurants.
Cyber criminals have targeted the ORACLE MICROS Restaurant Enterprise Sales (RES) 3700 Point-of-Sale (POS) cash register systems with the ModPipe backdoor. The system is a widespread management software suite, hundreds of thousands of which are used in catering establishments such as bars, restaurants or hotels. ModPipe has a modular structure and can be flexibly adapted to the respective location. After a successful infection, the attackers gain access to confidential information such as personal data or transaction data of the operator. The ESET researchers have now published their extensive analysis on WeLiveSecurity.
Backdoor has a modular structure
"The structure of ModPipe indicates that the developers behind the malicious program have extensive knowledge of the RES 37000 POS system," explains ESET researcher Martin Smolár, who discovered ModPipe. “We found and analyzed your basic components for the first time in 2019. These have obviously been improved. "
What makes the back door so special are the downloadable modules. ModPipe contains a custom algorithm that collects RES 3700 POS database passwords. To do this, he decrypts Windows registry values. This underlines the attackers' deep knowledge of the POS system. You chose such a sophisticated method instead of collecting the data through a simpler, but also more obvious, approach such as keylogging. The log-in data that is extracted enables the operators behind the malicious program to access database content, including various configurations, status tables and information about POS transactions. However, with the ModPipe variant that has been analyzed, the attackers do not have access to sensitive data such as credit card numbers and expiration dates. This information is additionally protected by encryption. The target of the attacker therefore remains unclear because they receive little valuable information. The ESET researchers suspect that another downloadable module exists that allows criminals to decrypt the more sensitive data.
What users of the POS system should do
To keep the operators behind ModPipe at bay, those affected in the hospitality industry as well as all other businesses using the RES 3700 POS are advised to:
- The latest version of the POS software should be installed.
- In general, it is essential that the operating system and other installed software on the devices used are always up to date.
- Reliable, multi-layered security software that detects ModPipe and similar threats should be in use.
More on this at WeLiveSecurity at ESET.com