Hackers Launching ModPipe Backdoor to Hack POS Software & Steal Data Password From Windows Registry

Recently, security researchers have identified a new Point-of-Sale (PoS) malware called “ModPipe” that always targets the devices used by several organizations in the hospitality industry. 

It is a backdoor based malware that can accumulate all kinds of delicate data from PoS devices that are running the Oracle Micros Restaurant Enterprise Series (RES) 3700.


This software is specially used by the restaurants and other businesses to control and operate all kinds of loyalty programs, POS devices, mobile payments, and some functions.

Oracle asserted that RES 3700 is the most extensively used restaurant management software in the industry. However, the software suite manages PoS and also rewards programs for all the “loyal customers,” reports, stocks, ads/promotions, and mobile payments.

This malware is targetting organizations since 2017, and ESET security researchers have identified this malware in 2019. Moreover, the ESET security researchers have discovered the other three modules that are added to the ModPipe, and these modules add up some additional functions to the actual ModPipe module.

Basic Components

According to the ESET report, there are some basic components that are found in these modules, and here we have mentioned them below:-

  • Initial dropper: It has both 32-bit and 64-bit binaries of the next stage, and it also has a persistent loader.
  • Persistent loader: It unpacks and loads the next stage of the malware.
  • Main module: It implements the main functionality of the malware. 
  • Networking module: In this, the module is used for communication with C&C.
  • Downloadable modules: Its components add up some specific functionality to the backdoor.

Downloadable Modules

Some downloadable modules are present in the ModPipe modules, and here we have mentioned below all the modules:-

  • Initially, GetMicInfo targets the data that are generally associated to the MICROS POS, and it also includes passwords that are related to two database user names.
  • Next is the ModScan 2.20 it collects all additional data regarding the MICROS POS environment that has been installed on the machines.
  • Lastly comes the ProcList, its main function is to accumulate all the information regarding the processes running on the machine.

Pipe commands handled by ModScan module

The pipe commands that are handled by the ModScan module are mentioned below:-

  • exit: Exit
  • stop: It terminates scanning threads
  • scan: It starts the scanning IPs specified in the command data to accumulate additional data.
  • prm: It specifies a special “ping” IP address

Main module commands

  • 0x01: Exit
  • 0x05: It updates the list of C&C addresses
  • 0x0A: Insert and execute the received module in the specified process
  • 0x0B: Insert and execute the received module in the specified process
  • 0x0C: Optionally write a module to the encrypted storage, and then insert and execute the received module in the specified process 
  • 0x0D: Transfer command to the named pipe belonging to the module with the specified ID and queue the response for the upload to the C&C
  • 0x0E: Uninstall module with the specified ID 
  • 0x0F: It saves network configuration to the encrypted storage

These attacks are quite often nowadays, and security researchers are finding all possible ways to eliminate this type of attack. ModPipe has several modules like it, and all of them have additional features and functions that make each of them more sophisticated malware. 

All these modules are being utilized in a large number as it helps the threat actors to steal all sensitive and delicate information of the organization.

Indicators of Compromise

C&C IP addresses

  • 191.101.31[.]223
  • 194.32.76[.]192
  • 23.19.58[.]114
  • 88.99.177[.]103
  • 91.209.77[.]172
  • 5.135.230[.]136

C&C domains/URLs

  • subzeroday.zapto[.]org
  • shj145ertyb.ddns[.]net/gettime.html
  • ouidji12345.ddns[.]net/gettime.html

Dropper samples

  • 9F8530627A8AD38F47102F626DEC9F0173B44CD5
  • FEE9C08B494C80DBF73A6F70FACD20ED0429330D

Loader samples

  • 0D1A4CB620576B8ADD34F919B4C6C46E7C3F9A59
  • B47E05D67DC055AF5B0689782D67EAA2EB8C75E3
  • F213B4EEF63F06EC127D3DC3265E14EE190B71E5
  • B2CE307DFE65C188FDAE169ABD65B75B112522C4
  • 2AC7A2C09E50EAFABF1F401194AC487ED96C6781
  • 0F4355A17AABD3645788341EAC2A9BB759DB95EE

Also Read:

Fake Microsoft Teams Updates Installs Cobalt Malware on Victims Machine

Gitpaste-12 Malware via GitHub & Pastebin Attacks Linux Servers and IoT Devices

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.