Friday, November 1, 2024
Homecyber securityEnsiko - A PHP Based Web Shell with Ransomware Capabilities Attacks PHP...

Ensiko – A PHP Based Web Shell with Ransomware Capabilities Attacks PHP Installation

Published on

Malware protection

Researchers observed a new PHP web shell dubbed Ensiko with ransomware capabilities that attack PHP installed on platforms such as Linux, Windows, macOS, and others.

The malware is capable of providing remote access and accepts commands from the attacker via a PHP reverse shell.

Security researchers from Trend Micro observed that the malware scans infected servers for the presence of other webshells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.

- Advertisement - SIEM as a Service

Webshell With Ransomware Capabilities

The malware is password-protected, it displays a not found page with a hidden login form. It uses RIJNDAEL_128 with CBC mode to encrypt files in the web directories and appends the “.bak” extension.

Hidden Login

It also drops an index.php file and sets it as the default page using a .htaccess file, the malware also loads additional tools onto an infected system.

Changed Index file

Following are the Ensiko’s capabilities;

FeaturesDescription
Priv IndexDownload ensikology.php from pastebin
RansomewareEncrypt files using RIJNDAEL 128 with CBC mode
CGI TelnetDownload CGI-telnet version 1.3 from pastebin;CGI-Telnet is a CGI script that allows you to execute commands on your web server.
Reverse ShellPHP Reverse shell
Mini Shell 2Drop Mini Shell 2 webshell payload in ./tools_ensikology/
IndoXploitDrop IndoXploit webshell payload in ./tools_ensikology/
Sound CloudDisplay sound cloud
Realtime DDOS MapFortinet DDoS map
Encode/DecodeEncode/decode string buffer
Safe Mode FuckerDisable PHP Safe Mode
Dir Listing ForbiddenTurn off directory indexes
Mass MailerMail Bombing
cPanel CrackBrute-force cPanel, ftp, and telnet
Backdoor ScanCheck remote server for existing web shell
Exploit DetailsDisplay system information and versioning
Remote Server ScanCheck remote server for existing web shell
Remote File DownloaderDownload file from remote server via CURL or wget
Hex Encode/DecodeHex Encode/Decode
FTP Anonymous Access ScanerSearch for Anonymous FTP
Mass DefaceDefacement
Config GrabberGrab system configuration such as “/etc/passwd”
SymLinklink
Cookie HijackSession hijacking
Secure ShellSSH Shell
Mass OverwriteRewrite or append data to the specified file type.
FTP ManagerFTP Manager
Check SteganologerDetects images with EXIF header
AdminerDownload Adminer PHP database management into the ./tools_ensikology/
PHP InfoInformation about PHP’s configuration
Byksw TranslateCharacter replacement
SuicideSelf-delete

The threat actor also employees the steganography technique to hide code within the exchangeable image file format (EXIF) headers of an image file.

Webshell Interface

The malware also includes two scanning methods;

Backdoor Scan – Scans for the existence of a web shell from a hardcoded list.

Remote server scan – Checks infected web server for the presence of other web shells.

Also it employees a function Mass Overwrite that used to rewrite/append the content of all files with directories and subdirectories.

By injecting an Ensiko web shell attacker can enable remote administration, file encryption, and many more features on a compromised web server.

IoC

SHA-256 Hash

5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

APT Group Actively Exploiting Internet-facing Vulnerable ColdFusion Server and Uploading Webshell

APT 34 Hackers Group Owned Hacking Tools, Webshell, Malware Code, C2 Servers IP Leaked in Telegram

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...