Researchers observed a new PHP web shell dubbed Ensiko with ransomware capabilities that attack PHP installed on platforms such as Linux, Windows, macOS, and others.

The malware is capable of providing remote access and accepts commands from the attacker via a PHP reverse shell.

Security researchers from Trend Micro observed that the malware scans infected servers for the presence of other webshells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.

Webshell With Ransomware Capabilities

The malware is password-protected, it displays a not found page with a hidden login form. It uses RIJNDAEL_128 with CBC mode to encrypt files in the web directories and appends the “.bak” extension.

Hidden Login

It also drops an index.php file and sets it as the default page using a .htaccess file, the malware also loads additional tools onto an infected system.

Changed Index file

Following are the Ensiko’s capabilities;

Priv IndexDownload ensikology.php from pastebin
RansomewareEncrypt files using RIJNDAEL 128 with CBC mode
CGI TelnetDownload CGI-telnet version 1.3 from pastebin;CGI-Telnet is a CGI script that allows you to execute commands on your web server.
Reverse ShellPHP Reverse shell
Mini Shell 2Drop Mini Shell 2 webshell payload in ./tools_ensikology/
IndoXploitDrop IndoXploit webshell payload in ./tools_ensikology/
Sound CloudDisplay sound cloud
Realtime DDOS MapFortinet DDoS map
Encode/DecodeEncode/decode string buffer
Safe Mode FuckerDisable PHP Safe Mode
Dir Listing ForbiddenTurn off directory indexes
Mass MailerMail Bombing
cPanel CrackBrute-force cPanel, ftp, and telnet
Backdoor ScanCheck remote server for existing web shell
Exploit DetailsDisplay system information and versioning
Remote Server ScanCheck remote server for existing web shell
Remote File DownloaderDownload file from remote server via CURL or wget
Hex Encode/DecodeHex Encode/Decode
FTP Anonymous Access ScanerSearch for Anonymous FTP
Mass DefaceDefacement
Config GrabberGrab system configuration such as “/etc/passwd”
Cookie HijackSession hijacking
Secure ShellSSH Shell
Mass OverwriteRewrite or append data to the specified file type.
FTP ManagerFTP Manager
Check SteganologerDetects images with EXIF header
AdminerDownload Adminer PHP database management into the ./tools_ensikology/
PHP InfoInformation about PHP’s configuration
Byksw TranslateCharacter replacement

The threat actor also employees the steganography technique to hide code within the exchangeable image file format (EXIF) headers of an image file.

Webshell Interface

The malware also includes two scanning methods;

Backdoor Scan – Scans for the existence of a web shell from a hardcoded list.

Remote server scan – Checks infected web server for the presence of other web shells.

Also it employees a function Mass Overwrite that used to rewrite/append the content of all files with directories and subdirectories.

By injecting an Ensiko web shell attacker can enable remote administration, file encryption, and many more features on a compromised web server.


SHA-256 Hash


You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Also Read

APT Group Actively Exploiting Internet-facing Vulnerable ColdFusion Server and Uploading Webshell

APT 34 Hackers Group Owned Hacking Tools, Webshell, Malware Code, C2 Servers IP Leaked in Telegram

Guru is an Ex-Security Engineer at Comodo Cybersecurity. Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here