Researchers at ESET have discovered a new Point of Sale (POS)malware they are calling ModPipe. ModPipe targets Oracle’s MICROS RES 3700 POS System which is in use by hundreds of thousands of bars, restaurants and hospitality businesses worldwide. The malware is modular, with ESET having recovered three separate downloadable modules to date:
- GetMicInfo – Decrypts database user passwords from Windows registry and collects various system information via database queries
- ModScan – Scans an IP address
- ProcList – Enumerates running processes and their loaded DLLs
It is not yet known how ModPipe manages to infect these POS systems. Although the malware is able to decrypt database passwords stored on the POS terminal, ESET does not currently believe the actors behind it are capable of stealing more sensitive information such as card dаta. For this to happen, the actors would need to somehow discover the encryption key and decrypt the data directly on the infected machine due to the use of Windows Data Protection API (DPAPI).
POS software and the underlying operating system should be kept up to date just like any other device. When possible, Binary Defense highly recommends using an Endpoint Detection and Response (EDR) solution side-by-side with traditional anti-virus products. Most malware that targets POS systems uses techniques such as injecting into other process memory, writing collected data to external files, and unusual patterns of network communication from POS devices. Threat actors who deploy POS malware typically use system automation techniques such as PsExec, PaExec, PowerShell remoting and Visual Basic scripts to deploy the malware to POS systems across a fleet and collect the data produced by the malware. Watching for unusual behavior by administrator accounts logging in to many POS devices through automation scripts is a good threat hunting technique to uncover malicious activity. Another common technique used by threat actors is to set up custom network proxies (using netsh portproxy, ssh port forwarding or other software) on compromised internal systems such as domain controllers, to allow otherwise isolated POS systems to send data out to the Internet via the proxy. Using an EDR solution or an MDR (managed detection and response) can help spot threats before they spread too far. Analysts at the Binary Defense Security Operations Center detect threats on our clients’ workstations and servers 24-hours a day and respond quickly to contain infections, preventing minor incidents from becoming a source of major damage across the company.