New POS Malware Targeting the Hospitality Sector

In a recently published blog post, ESET has revealed a new point-of-sale (POS) malware being used to target the already under pressure hospitality sector given the current impact the COVID-19 pandemic has had on the sector. POS Malware can be seen as any malicious program which can be installed on devices used by businesses to authorize transactions, typically bank card transactions. The goal of the malware is to steal financial information including credit card details to use to commit fraud or to be sold to other third parties.

Called ModPipe, the new malware strain can best be described as a modular backdoor that grants the attacker access to sensitive financial information. Researchers discovered the malware targeting devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS. The device is primarily used within the hospitality sector as a management software suite used to process payments in bars, restaurants, hotels, and other hospitality establishments across the globe. What separates ModPipe from other POS Malware, such as the predicted to have been used in the Wawa card breach and the one used to steal data at gas stations across the US, is that it is capable of decrypting database passwords directly from the Windows registry. Most similar malware strains will use less stealthy methods to steal the data, like keyloggers.

ModPipe’s functions show that the developers had a unique understanding of the targeted device's software and processes. However, according to the targeted device’s documentation, the attackers should not be able to access sensitive financial data, such as credit card numbers, which is protected by layers of encryption. The only data that the malware seems to be able to access appears to be cardholder names. This has caused questions to be asked as to the “business model” of the attacker, as cardholder names are useless without card details and expiration dates for many fraudulent purposes down the road.

pos malware targeting hospitality sector

What may be the case, as the malware consists of several downloadable modules, one may exist or still be in development, that would be capable of stealing credit card data despite being protected by encryption. For this to be possible researchers noted,

“According to the documentation, to achieve this the attackers would have to reverse engineer the generation process of the “site-specific passphrase”, which is used to derive the encryption key for sensitive data. This process would then have to be implemented into the module and – due to use of the Windows Data Protection API (DPAPI) – executed directly on the victim’s machine. Another remaining unknown is ModPipe’s distribution method. The majority of the identified targets were from the United States, with indications that they were in the restaurant and hospitality sectors – the primary customers of RES 3700 POS.”

Modular Design

Given the modular design of the malware, it would not be a stretch of the imagination to assume a module is in development to steal the encrypted credit card data, rather than just the cardholder names encrypted and stored on the registry. In the wild, researchers discovered three modules that seemed to carry out the majority of the malware’s functionality. GetMicInfo, the most important of the three, is designed to steal database passwords, settings, and various other forms of data. The second module of note, ModScan, which runs scans to search for specific IP addresses. Lastly, ProcList, which enumerates running processes and their modules. Researchers have discovered four other modules, but their exact function is unknown.

Researchers still do not know how the malware compromises the POS systems. However, they figured out its architecture, which includes an initial dropper, a persistent loader, the main module, a networking module, and downloadable components. The initial dropper contains both 32bit and 64bit binaries to be used by the persistent loader that is used to unpack the main module. The main module contains the main functionality of the malware. It creates a pipe used for communication with other malicious modules, installs and uninstalls these modules, and handles communication between the modules and the attacker’s command and control server. Once the networking module is installed, the malware will begin to retrieve the downloadable modules which include the GetMicInfo module.

In concluding, researchers summarized the malware's functionality and potential goal as,

“ModPipe shows quite a few interesting features. Probably the most intriguing finding is the algorithm hidden in one of the backdoor’s modules, which was specifically designed to steal credentials by decrypting them from registry values. By acquiring the database passwords, the attackers gain broad access to sensitive information even though the most sensitive data stored in devices running RES 3700 POS should still be protected by encryption…ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software. The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.”

Questions needing Answers

As it currently stands researchers still do not know how the malware initially compromises POS systems and there are still four modules whose functionality is unknown. These will be answered in time as soon as more research is done. One of the main questions needing a definite answer is how the malware decrypts database passwords. Researchers believe that the threat actor may have reverse engineered the software for Oracle’s MICROS RES 3700 Restaurant POS System to understand how the passwords are encrypted and decrypted.

It is important to note that because this data can be accessed by the attacker, this does not mean the attacker has access to important credit card data mentioned above. The attacker may have also gained the information from a data breach that occurred in 2016 which impacted Oracle’s POS Division. This further opens the possibility that the information needed to decrypt the database passwords was simply bought from another threat actor on an underground hacker forum.

Regarding the 2016 breach as the possible source of the information, it is believed that a Russian cybercrime gang was known for targeting banks and retail businesses. The attackers managed to compromise a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems. At the time MICROS was one of the three most popular POS vendors globally. Oracle noted that MICROS systems were deployed on an estimated 200,000 food and beverage outlets, 100,000 retail sites, and more than 30,000 hotels. Commenting on the breach, Brian Krebs noted,

“This breach could be little more than a nasty malware outbreak at Oracle. However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them. Indeed, Oracle’s own statement seems to suggest the company is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer — and, more importantly, to upload card-stealing malware to — some customer point-of-sale systems. The term “on-premise” refers to POS devices that are physically connected to cash registers at MICROS customer stores.”

Four years on the true impact of the 2016 breach may be felt if this is proved to be the source of the information used by the attacker behind ModPipe. These questions may seem academic at this point with the only information of substance being the analysis done by the researchers. Regardless, POS malware is a problem faced by the retail and hospital sector and should not be taken lightly. Businesses that have deployed ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS are advised to:

  • Use the latest version of the software.
  • Use it on devices that run an updated operating system and software.
  • Use reliable multi-layered security software that can detect ModPipe and similar threats.

The above recommendations will help prevent POS malware attacks from a variety of fronts, not just from ModPipe. While ModPipe still appears that it is under development and may be scaling up for an attack campaign where it is not just cardholder names that can be stolen.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps..

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal