Saturday, December 2, 2023

Ensiko – A PHP Based Web Shell with Ransomware Capabilities Attacks PHP Installation

Researchers observed a new PHP web shell dubbed Ensiko with ransomware capabilities that attack PHP installed on platforms such as Linux, Windows, macOS, and others.

The malware is capable of providing remote access and accepts commands from the attacker via a PHP reverse shell.

Security researchers from Trend Micro observed that the malware scans infected servers for the presence of other webshells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.

Webshell With Ransomware Capabilities

The malware is password-protected, it displays a not found page with a hidden login form. It uses RIJNDAEL_128 with CBC mode to encrypt files in the web directories and appends the “.bak” extension.

Hidden Login

It also drops an index.php file and sets it as the default page using a .htaccess file, the malware also loads additional tools onto an infected system.

Changed Index file

Following are the Ensiko’s capabilities;

Priv IndexDownload ensikology.php from pastebin
RansomewareEncrypt files using RIJNDAEL 128 with CBC mode
CGI TelnetDownload CGI-telnet version 1.3 from pastebin;CGI-Telnet is a CGI script that allows you to execute commands on your web server.
Reverse ShellPHP Reverse shell
Mini Shell 2Drop Mini Shell 2 webshell payload in ./tools_ensikology/
IndoXploitDrop IndoXploit webshell payload in ./tools_ensikology/
Sound CloudDisplay sound cloud
Realtime DDOS MapFortinet DDoS map
Encode/DecodeEncode/decode string buffer
Safe Mode FuckerDisable PHP Safe Mode
Dir Listing ForbiddenTurn off directory indexes
Mass MailerMail Bombing
cPanel CrackBrute-force cPanel, ftp, and telnet
Backdoor ScanCheck remote server for existing web shell
Exploit DetailsDisplay system information and versioning
Remote Server ScanCheck remote server for existing web shell
Remote File DownloaderDownload file from remote server via CURL or wget
Hex Encode/DecodeHex Encode/Decode
FTP Anonymous Access ScanerSearch for Anonymous FTP
Mass DefaceDefacement
Config GrabberGrab system configuration such as “/etc/passwd”
Cookie HijackSession hijacking
Secure ShellSSH Shell
Mass OverwriteRewrite or append data to the specified file type.
FTP ManagerFTP Manager
Check SteganologerDetects images with EXIF header
AdminerDownload Adminer PHP database management into the ./tools_ensikology/
PHP InfoInformation about PHP’s configuration
Byksw TranslateCharacter replacement

The threat actor also employees the steganography technique to hide code within the exchangeable image file format (EXIF) headers of an image file.

Webshell Interface

The malware also includes two scanning methods;

Backdoor Scan – Scans for the existence of a web shell from a hardcoded list.

Remote server scan – Checks infected web server for the presence of other web shells.

Also it employees a function Mass Overwrite that used to rewrite/append the content of all files with directories and subdirectories.

By injecting an Ensiko web shell attacker can enable remote administration, file encryption, and many more features on a compromised web server.


SHA-256 Hash


You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

APT Group Actively Exploiting Internet-facing Vulnerable ColdFusion Server and Uploading Webshell

APT 34 Hackers Group Owned Hacking Tools, Webshell, Malware Code, C2 Servers IP Leaked in Telegram


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles