ModPipe Malware Steals Sensitive Information from Oracle POS Software

A new malware called ModPipe targets devices used by thousands of organizations in the hospitality industry, researchers warn.

ESET researchers found ModPipe, a modular backdoor for collecting sensitive information, in the Oracle Micros Restaurant Enterprise Series (RES) 3700 PoS devices, a management software suite used by thousands of bars, restaurants, hotels and other hospitality establishments worldwide.

Researchers told the blog that ModPipe operators probably have a thorough knowledge of the software because the malware contains a GetMicInfo user algorithm that is used to collect passwords for the RES 3700 POS database by deciphering them from the values in the Windows registry.

Due to the RES 3700 POS documentation, attackers are unwilling to access sensitive information such as credit card numbers and expiration dates protected by encryption. The only customer data stored and thus accessible to attackers should be cardholder names.

To achieve this, attackers need to reconsider the process of generating a passphrase code for a particular site, which is used to obtain a key to encrypt sensitive data – watch the researchers. In this case, this process must be implemented in the module using the Windows Data Protection API (DPAPI), which runs directly on the victim’s computer.


ModPipe uses a modular architecture consisting of, for example, basic components and load-bearing modules:

  1. ┬áThe first dropper – contains the 32-bit and 64-bit binaries of the next level – Constant Loader – and installs an acceptable version on the compromised machine.
  2. Permanent loader – unpacks and loads the next level of malware, namely the main module.
  3. Main module – performs most of the malware functions. It creates a channel used to communicate with other malicious modules, removes/installs these modules and is the dispatcher who manages the communication between the modules and thus the attacker’s C&C server.
  4. Network module – the module used for communication with C&C.
  5. Downloadable modules – components that expand the back door functionally, such as the ability to steal database passwords and configuration information, scan specific IP addresses or obtain an inventory of running processes and downloaded modules.


In order to keep operators under control, it is recommended that potential victims in the hotel sector and other businesses using the RES 3700 site should be kept under control:

  • Use the latest version of the software.
  • Use it on devices with updated operating systems and software.
  • Use reliable, multi-layered security software that detects ModPipe and similar threats.

Also read

RATicate – a group of hackers launches a program to steal information using the remote management program.

FinSpy malware attacking iOS and Android devices to steal personal information

Related Tags: