Dubbed Ensiko, the malware is a PHP web shell with ransowmare capabilities, which is capable of targeting Linux, Windows, and macOS machines. However, it can also target any other platform with PHP installed, TrendMicro researchers say.
Ensiko Malware: Technical Overview
As just mentioned, Ensiko is a PHP web shell with various capabilities. The malware can control a compromised system remotely, and accept commands from threat actors to carry out various malisious scenarios.
Ensiko “can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell.” The malware can scan servers for the presence of other webshells. Other capabilities include defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, among others.
The malware can be password-protected. For authentication, it displays a Not Found page with a hidden login form. Other capabilities of Ensiko include:
Priv Index: Download ensikology.php from pastebin
Ransomware: Encrypt files using RIJNDAEL 128 with CBC mode
CGI Telnet: Download CGI-telnet version 1.3 from pastebin;
CGI-Telnet is a CGI script that allows you to execute commands on your web server.
Reverse Shell: PHP Reverse shell
Mini Shell 2: Drop Mini Shell 2 webshell payload in ./tools_ensikology/
IndoXploit: Drop IndoXploit webshell payload in ./tools_ensikology/
Sound Cloud: Display sound cloud
Realtime DDOS Map: Fortinet DDoS map
Encode/Decode: Encode/decode string buffer
Safe Mode Fucker: Disable PHP Safe Mode
Dir Listing Forbidden: Turn off directory indexes
Mass Mailer: Mail Bombing
cPanel Crack: Brute-force cPanel, ftp, and telnet
Backdoor Scan: Check remote server for existing web shell
Exploit Details: Display system information and versioning
Remote Server Scan: Check remote server for existing web shell
Remote File Downloader: Download file from remote server via CURL or wget
Hex Encode/Decode: Hex Encode/Decode
FTP Anonymous Access Scaner: Search for Anonymous FTP
Mass Deface: Defacement
Config Grabber Grab system configuration such as “/etc/passwd”
Cookie Hijack: Session hijacking
Secure Shell: SSH Shell
Mass Overwrite: Rewrite or append data to the specified file type.
FTP Manager: FTP Manager
Check Steganologer: Detects images with EXIF header
Adminer: Download Adminer PHP database management into the ./tools_ensikology/
PHP Info: Information about PHP’s configuration
Byksw Translate: Character replacement
As for the ransomware capabilities, Ensiko uses PHP RIJNDAEL_128 with CBC mode to encrypt files in a web shell directory and subdirectories. It appends filenames with the .bak extension, TrendMicro’s analysis reveals.
Ensiko is an advanced threat that seems to have been created for remote administration. It has ransomware capabilities, and can encrypt files on an infected server via the RIJNDAEL encryption algorithm.