ModPipe Malware Description
ModPipe is a new strain of malware targeting Point-of-Sale (PoS) devices capable of extracting various datatypes from them. Although the malware has been designed to affect only a singular management software suite - Oracle Micros Restaurant Enterprise Series (RES) 3700, it is enough to compromise hundreds of thousands of organizations working in the hospitality sector potentially. Indeed, Oracle describes the RES 3700 as the "most widely installed restaurant management software in the industry today." The software can manage a wide range of services such as loyalty programs, mobile payments, PoS devices, reports, promotions and inventory.
The hackers behind ModPipe appear to have extremely deep knowledge about the management software, evidenced by the fact that the ModPipe Malware has a custom-built algorithm capable of extracting RES 3700 POS database passwords from the Windows Registry.
The ModPipe Malware has a modular structure that consists of a dropper - either a 32/bit or a 64/bit depending on the compromised device, a first-stage loader, and the actual malware payload. Communication between the different modules and the Command-and-Control infrastructure is facilitated by creating a 'pipe.' Upon execution, ModPipe can harvest content from PoS databases that include status labels and certain details about PoS transactions, specifics about the system configuration, etc. However, what the malware cannot obtain due to the encryption implemented by RES 3700 are any credit card numbers and expiration dates.
Researchers have managed to identify several of the modules used by ModPipe - the custom algorithm that intercepts and decrypts RES 3700 database passwords is contained in a module named 'GetMicInfo,' PoS information through IP scanning is performed by 'ModScan 2.20,' while the current list of processes running on the compromised device is being monitored by 'ProcList.' It should be noted that the threatening capabilities of ModPipe could be further expanded or augmented through the download of additional malware modules.