CYBER NEWS

Ensiko Malware Can Target Linux, Windows, and macOS

Cybersecurity researchers recently discovered an advanced threat with a set of malicious capabilities, including ransomware.

Dubbed Ensiko, the malware is a PHP web shell with ransowmare capabilities, which is capable of targeting Linux, Windows, and macOS machines. However, it can also target any other platform with PHP installed, TrendMicro researchers say.




Ensiko Malware: Technical Overview

As just mentioned, Ensiko is a PHP web shell with various capabilities. The malware can control a compromised system remotely, and accept commands from threat actors to carry out various malisious scenarios.

Ensiko “can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell.” The malware can scan servers for the presence of other webshells. Other capabilities include defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, among others.

Related: [wplinkpreview url=”https://sensorstechforum.com/ransomware-lenovoemc-nas-devices/”] Ransomware Is Targeting LenovoEMC NAS Devices

The malware can be password-protected. For authentication, it displays a Not Found page with a hidden login form. Other capabilities of Ensiko include:

Priv Index: Download ensikology.php from pastebin
Ransomware: Encrypt files using RIJNDAEL 128 with CBC mode
CGI Telnet: Download CGI-telnet version 1.3 from pastebin;
CGI-Telnet is a CGI script that allows you to execute commands on your web server.
Reverse Shell: PHP Reverse shell
Mini Shell 2: Drop Mini Shell 2 webshell payload in ./tools_ensikology/
IndoXploit: Drop IndoXploit webshell payload in ./tools_ensikology/
Sound Cloud: Display sound cloud
Realtime DDOS Map: Fortinet DDoS map
Encode/Decode: Encode/decode string buffer
Safe Mode Fucker: Disable PHP Safe Mode
Dir Listing Forbidden: Turn off directory indexes
Mass Mailer: Mail Bombing
cPanel Crack: Brute-force cPanel, ftp, and telnet
Backdoor Scan: Check remote server for existing web shell
Exploit Details: Display system information and versioning
Remote Server Scan: Check remote server for existing web shell
Remote File Downloader: Download file from remote server via CURL or wget
Hex Encode/Decode: Hex Encode/Decode
FTP Anonymous Access Scaner: Search for Anonymous FTP
Mass Deface: Defacement
Config Grabber Grab system configuration such as “/etc/passwd”
SymLink: link
Cookie Hijack: Session hijacking
Secure Shell: SSH Shell
Mass Overwrite: Rewrite or append data to the specified file type.
FTP Manager: FTP Manager
Check Steganologer: Detects images with EXIF header
Adminer: Download Adminer PHP database management into the ./tools_ensikology/
PHP Info: Information about PHP’s configuration
Byksw Translate: Character replacement
Suicide: Self-delete

As for the ransomware capabilities, Ensiko uses PHP RIJNDAEL_128 with CBC mode to encrypt files in a web shell directory and subdirectories. It appends filenames with the .bak extension, TrendMicro’s analysis reveals.

Ensiko is an advanced threat that seems to have been created for remote administration. It has ransomware capabilities, and can encrypt files on an infected server via the RIJNDAEL encryption algorithm.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...