{
	"id": "dcad4123-dd40-4325-8d3f-1ba91873e305",
	"created_at": "2026-04-06T00:12:38.489268Z",
	"updated_at": "2026-04-10T13:12:31.014786Z",
	"deleted_at": null,
	"sha1_hash": "3f9190236811edf111a21ce833228c7132272e93",
	"title": "ModPipe Malware has a new module that siphons Credit Card Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42513,
	"plain_text": "ModPipe Malware has a new module that siphons Credit Card\r\nData\r\nBy Ryan Marshall\r\nPublished: 2021-03-23 · Archived: 2026-04-05 19:24:39 UTC\r\nCybersecurity researchers at Foregenix have discovered what appears to be a new module for the ModPipe\r\nmalware, previously reported by ESET in November 2020. Alarmingly, this new module has the ability to siphon\r\nsensitive Track1 and Track2 data from payment systems, a featureset that had not previously been disclosed. Like\r\nthe originally analysed and documented ModPipe, this module is most prevalent in the hospitality sector. This\r\nmalware should be considered a high risk.\r\nThe CCSiphon (aka “JHook”) module was observed in the wild targeting the CCS.exe application which is at the\r\ncore of the RES 3700 POS management system, made by Oracle’s Micros (Oracle Food and Beverage and Oracle\r\nHospitality). What’s fascinating about the module is that it strategically inserts itself between the Micros\r\napplication and the decryption mechanism used by the system. This “app in the middle” listens when the Micros\r\napplication needs to decrypt the payment card data. While Micros thinks it’s talking to the official Microsoft\r\nDPAPI decryption routine, it is actually passing data that requires decryption directly to the malware. The siphon\r\nthen leverages the actual crypto routines, quietly examining the data returned for evidence that it contains Track\r\ndata. If Track data is found, the CCSiphon malware quietly writes the data to a buffered communications channel\r\nto be harvested later.\r\nForegenix researchers point out that while this sample of the new module is targeting the Micros RES 3700\r\nsystem specifically, it’s dynamic mode of operation, (controlled by a configuration string presented to the malware\r\nmodule) enables it to attack any payment processing application. This “configuration string” defines the details of\r\nhow the application hook should be implemented and which payment process should be targeted.\r\nThe malware even has a fallback mechanism that could be used where a similar hooking approach is applied to the\r\nfundamental mechanism the system uses to move memory contents around. Should a more specific approach be\r\nunsuitable, this backup will provide access to the target data.\r\nThis siphon module is basically “file-less” in its design. The module is inserted into memory directly from the C2\r\nchannel. The siphoned data is also written to a location in memory so it leaves little-or-no footprint on the system\r\nto be detected. At the time of this article, none of the antivirus companies seem to have detected this code.\r\nWhile the original ModPipe malware was not attributed to any particular attack group, Foregenix identified\r\nsimilarities comparing CCSiphon to the RDFScanner module in the Boostwrite malware reported by Mandiant in\r\n2019. That attack was attributed to Fin7, and targeted NCR’s Aloha Point of Sale system. Additional research\r\nperformed by Foregenix suggests that ModPipe may have passed unnoticed for a considerable period of time, with\r\nsimilar variants being available on VirusTotal also going back to 2019.\r\nhttps://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data\r\nPage 1 of 2\n\n“Attackers are certainly getting more sophisticated”, says Chris Hague, Global Manager Digital Forensics \u0026\r\nIncident Response at Foregenix. “...This may be a game changer for PCI SSF (formerly PA-DSS) and other\r\nsecurity standards.”. It was also pointed out that the approach taken by this malware differs significantly from\r\ntraditional “memory scrapers”. The latter generally scan memory on some form of timed cycle, leaving small\r\nwindows of opportunity where payment details are “missed” by the malware. With the approach implemented by\r\nthis variant of ModPipe every payment card processed can and would be intercepted by the malware. Coupled\r\nwith it’s stealthy operation, this could pose a significant risk to retailers.\r\nForegenix is a cybersecurity company; specializing in Incident Response and Digital Forensics.\r\nContact: info@foregenix.com.\r\nResearch/Authors: Niall Newman and Mark Shelhart\r\nSource: https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data\r\nhttps://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data"
	],
	"report_names": [
		"modpipe-malware-has-a-new-module-that-siphons-payment-card-data"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434358,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f9190236811edf111a21ce833228c7132272e93.pdf",
		"text": "https://archive.orkl.eu/3f9190236811edf111a21ce833228c7132272e93.txt",
		"img": "https://archive.orkl.eu/3f9190236811edf111a21ce833228c7132272e93.jpg"
	}
}