Card Not Present Fraud , Cybercrime , Endpoint Security

'ModPipe' POS Malware Attacking Hospitality Industry

Carefully Crafted Backdoor Targets Oracle Software Used to Store Data
'ModPipe' POS Malware Attacking Hospitality Industry

A recently uncovered point-of-sale malware called "ModPipe" is targeting Oracle software used by thousands of restaurants and other businesses in the hospitality industry, according to researchers at security firm ESET.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

This carefully crafted backdoor is designed to target the Oracle Micros Restaurant Enterprise Series 3700 product, specialty software that restaurants and other businesses use to manage loyalty programs, POS devices, mobile payments and other functions, according to the report.

The malware appears to have been active since at least 2017, although ESET researchers first discovered it in 2019. In April, the analysts discovered three other modules added to ModPipe to give the malicious code additional functionality, according to the report.

The majority of the attacks associated with ModPipe appear to target businesses in the U.S., although organizations in Thailand, Greece, the U.K., Canada and Turkey have also reported incidents involving the malware, ESET says.

The operators behind ModPipe appear to have extensive knowledge of the Oracle software. The hackers could have reverse-engineered the applications, or they could have gained access to the source code following a 2016 breach at Oracle, according to the report.

"Usually, POS malware uses a technique called RAM scraping in order to find credit card information directly in the POS memory," Robert Lipovsky, a senior malware researcher at ESET, tells Information Security Media Group. "ModPipe uses detailed knowledge of the targeted software implementation in order to get passwords to the database, which contains information about credit cards - but in encrypted form. We have not been able to attribute ModPipe to any existing advanced persistent threat group for now."

ESET has contacted Oracle about the attacks associated with the company's software.

Targeting POS

While the ESET researchers have been able to study how the ModPipe malware works and what type of data it attempts to collect in compromised devices and networks, how the initial attacks start is not known, Lipovsky says.

When deployed, however, ModPipe uses a custom algorithm designed to gather Oracle Micros Restaurant Enterprise Series 3700 POS database passwords by decrypting them from Windows registry values, according to the report. This is another reason why ESET believes the operators have deep knowledge of the management software.

By using these passwords, the ModPipe operators are able to access a database's content, including various definitions and configurations, status tables and information about POS transactions, according to the report.

The most sensitive data, such as credit card numbers and expiration dates, would not be available because that information would be encrypted in the database. "The only customer data stored in the clear and thus available to the attackers should be cardholder names," the report notes.

"Credit and payment card data are most likely what the attackers are after, but we don’t have evidence that they were able to decrypt the information for now. All we can say for certain is that they have access to the database, which contains information about credit cards but in an encrypted form," Lipovsky says. "Nonetheless, based on the attackers' demonstrated capabilities and extensive knowledge of the targeted Restaurant Enterprise Series 3700 POS software, the targets and users of this POS software should err on the side of caution and consider the data compromised."

The report also notes that ModPipe may have an additional module unknown to researchers than can decrypt the credit card data.

"To achieve this, the attackers would have to reverse engineer the generation process of the 'site-specific passphrase,' which is used to derive the encryption key for sensitive data," the report notes. "This process would then have to be implemented into the module and - due to use of the Windows Data Protection API - executed directly on the victim's machine."


The ModPipe malware comprises several components, including an initial dropper, which uses 32-bit and 64-bit binaries; an uploader that prepares the main module; the main module, which deploys the malware and creates a pipe to other modules; a network module that communicates with the command-and-control server; and a downloadable module that exfiltrates the data, according to the report.

The new additions to the ModPipe malware are a series of modules that ESET first uncovered in April that are designed to give the backdoor additional functionality.

The first of these, called GetMicInfo, contains the custom algorithm that gathers the POS database passwords. The second, dubbed ModScan 2.20, scans IP addresses looking for other POS data, according to the report. The third, ProcList, monitors the process during an attack, the report notes.

Other POS Malware

Despite the COVID-19 pandemic, during which consumers are staying at home and making purchases relying more on card-not-present transactions, POS malware persists, according to security experts.

In October, for example, Visa's payment fraud team published an alert warning of recent malware attacks on POS devices used by two North American hospitality companies. In one of these incidents, three POS malware variants designed to scrape payment card data were found on the targeted firm's network and devices (see: Visa Alert: POS Malware Attacks Persist).

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.