ModPipe Malware Steals Sensitive Information from Oracle POS Software used by Hundreds of Thousands of Hotels

Based upon the documentation of RES 3700 POS, the attackers will not be prepared to gain access to delicate details like charge card numbers and expiration dates, which is protected by encryption. The only customer information stored and hence offered to the aggressors ought to be cardholder names.

ESET researchers have actually discovered ModPipe, a modular backdoor all set to harvest delicate details in PoS devices running Oracle Micros Restaurant Enterprise Series (RES) 3700, a management software suite made use of by many countless bars, dining establishments, hotels, and other hospitality establishments worldwide.

A new Point-of-Sale (PoS) named ModPipe malware is targeting devices made use of by many thousands of companies within the hospitality sector, researchers have alerted.

Researchers said in a blog that the operators of ModPipe likely have a “deep understanding” of the software application since the malware includes a custom algorithm GetMicInfo created to collect RES 3700 POS database passwords by decrypting them from Windows pc registry values.

ModPipe Architecture

” To accomplish this the assaulters would have to reverse engineer the generation process of the “site-specific passphrase,” which is utilized to obtain the file encryption key for delicate data,” the researchers keep in mind. “This process would then need to be executed into the module due to making use of the Windows Data Protection API (DPAPI) carried out straight on the victims device.”

ModPipe utilizes modular architecture consisting of fundamental parts and downloadable modules such as:

Downloadable modules– elements adding specific functionality to the backdoor, like the power to take database passwords and configuration details, scan specific IP addresses or obtain a stock of the running processes and their crammed modules.

Networking module– a module used for communication with C&C.

The main module– performs the most functionality of the malware. It produces a pipeline utilized for communication with other destructive modules, un/installs these modules and is a dispatcher that manages interaction in between the modules and for that reason the opponents C&C server.


Relentless loader– unloads and loads the subsequent phase of the malware, particularly the primary module.

Initial dropper– contains both 64-bit and 32-bit binaries of the subsequent phase– the persistent loader– and installs the appropriate version to the compromised device.

To keep the operators behind ModPipe at bay, potential victims within the hospitality sector, also as the other services using the RES 3700 POS, are encouraged to:

Use the most recent variation of the software.
Use it on devices that run an updated operating system and software.
Use reputable multi-layered security software that will spot ModPipe and comparable hazards.


RATicate– Hackers Group Launching an Information Stealing Malware by means of Remote Admin Tool

FinSpy Malware Attacking iOS and Android Devices to Steal Personal Information