‘ModPipe’, a modular backdoor aimed at POS software, was discovered

Sensitive information stored in the ORACLE MICROS RES 3700 POS execution device can be accessed.

Tuesday, November 17, 2020, 5:35 GMT

ModPipe ‘has been found, a modular backdoor that can access confidential information contained in the operating system, requiring the attention of users. Luckily, it is understood that the object is mostly used in the United States.

ESET Korea, a domestic affiliate of ESET, said that a modular backdoor called ModPipe had been found and urged caution. Downloadable plugins and controls are features of this backdoor. This is because it includes a custom algorithm designed by decrypting it from a Windows registry value to collect the RES 3700 POS database password.

This indicates that the backdoor author has a deep understanding of the goal program and has picked a more advanced method rather than obtaining data using an easier and more detectable approach such as keylogging. Via leaked passwords, ModPipe operators can access database material, including details about different meanings and settings, state tables, and POS transactions.

ESET researcher Martin Smolár, who discovered ModPipe, said The attacker was unable to access the most sensitive information, such as cryptographically encrypted credit card numbers and expiration dates, according to the RES 3700 POS documents.” The only consumer details an attacker might use was the name of the cardholder. ModPipe’s most fascinating element is its downloadable module. “Since the end of 2019, when we first identified and examined the fundamental components, we have been aware of their presence.”

Modulus Downloadable
-GetMicInfo targets MICROS POS-related files, including passwords linked to two manufacturer-predefined database user names. Using uniquely designed algorithms, this module will intercept and decode these database passwords.
-ModScan 2.20 checks the IP address chosen and gathers additional MICROS POS environment details mounted on the computer.
-ProcList’s key aim is to gather details about the processes actually operating on the system.

“The architecture, modules and features of ModPipe indicate that the authors have comprehensive knowledge of the targeted RES 3700 POS program,” Smolár said. Or it may come from many examples, such as an underground market purchasing code.

In order to deter operators from accessing ModPipe, possible hospitality and other business victims using RES 3700 POS 1 upgrade the current version of the app, 2 use modified software and operating systems and 3 identify ModPipe and related attacks. We suggest that you make use of stable multi-layered security tools.