Researchers at ESET have discovered a new Point of Sale (POS)malware they are calling ModPipe. ModPipe targets Oracle’s MICROS RES 3700 POS System which is in use by hundreds of thousands of bars, restaurants and hospitality businesses worldwide. The malware is modular, with ESET having recovered three separate downloadable modules to date:
- GetMicInfo – Decrypts database user passwords from Windows registry and collects various system information via database queries
- ModScan – Scans an IP address
- ProcList – Enumerates running processes and their loaded DLLs
It is not yet known how ModPipe manages to infect these POS systems. Although the malware is able to decrypt database passwords stored on the POS terminal, ESET does not currently believe the actors behind it are capable of stealing more sensitive information such as card dаta. For this to happen, the actors would need to somehow discover the encryption key and decrypt the data directly on the infected machine due to the use of Windows Data Protection API (DPAPI).