Cyberattackers Serve Up Custom Backdoor for Oracle Restaurant Software

modpip oracle pos backdoor

The modular malware is highly sophisticated but may not be able to capture credit-card info.

ModPipe, a previously unknown backdoor, has been purpose-built to attack restaurant point-of-sale (PoS) solutions from Oracle. It’s notable for its unusual sophistication, according to researchers, evidenced by its multiple modules.

The code is specifically taking aim at the Oracle MICROS Restaurant Enterprise Series (RES) 3700 POS – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide, according to ESET. The attacks have mainly been in the U.S., researchers said – though the initial infection vector is unknown.

One of the malware’s downloadable modules, called GetMicInfo, is particularly distinctive, the firm noted. It sniffs out and exfiltrates credentials that allow ModPipe’s operators to access database contents, including various definitions and configuration data, status tables and information about PoS transactions.

“[It] contains an algorithm designed to gather database passwords by decrypting them from Windows registry values,” researchers explained in a Thursday blog post. “This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet ‘louder’ approach, such as keylogging.”

That said, the database info that the module lifts wouldn’t include the plum data prize: Credit-card numbers and expirations.

“The only customer data stored in the clear and thus available to the attackers should be cardholder names,” ESET noted. “This would limit the amount of valuable information viable for further sale or misuse, making the full business model behind the operation unclear. One possible explanation is that another downloadable module exists that allows the malware operators to decrypt the more sensitive data in the user’s database.”

ModPipe is multi-stage, starting with an initial dropper. The dropper in turn installs a persistent loader on the compromised machine. This in turn unpacks and loads in the main module.

The main module creates a pipe used for communication with other malicious modules (hence the malware’s name). It’s responsible for implementing these, and also handles the connection to the attackers’ command-and-control (C2) server. Meanwhile, a networking module performs the actual communication with the C2.

“Responses from the C2 server have to be at least 33-bytes long in order to be parsed by the networking module and the malicious payload is located after a sequence of 13 spaces followed by an HTML comment opening tag,” according to ESET.

Then there’s a range of other downloadable modules for adding specific functionality to the backdoor. In addition to the aforementioned info-stealer, two that are known can scan specific IP addresses or acquire a list of the running processes on the target.

“In April 2020, after a couple of months of hunting, we found three of these modules in the wild,” researchers explained. “Our research also suggests that the operators use at least four other downloadable modules, whose functionality remains completely unknown to us for now.”

ModPipe shows quite a few interesting features,” researchers said. “ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software. The proficiency of the operators could stem from multiple scenarios, including stealing and reverse-engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.”

2020 Healthcare Cybersecurity Priorities: Data Security, Ransomware and Patching

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

 

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.