Cybersecurity researchers recently discovered an advanced threat with a set of malicious capabilities, including ransomware.
Dubbed Ensiko, the malware is a PHP web shell with ransowmare capabilities, which is capable of targeting Linux, Windows, and macOS machines. However, it can also target any other platform with PHP installed, TrendMicro researchers say.
Ensiko Malware: Technical Overview
As just mentioned, Ensiko is a PHP web shell with various capabilities. The malware can control a compromised system remotely, and accept commands from threat actors to carry out various malisious scenarios.
Ensiko “can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell.” The malware can scan servers for the presence of other webshells. Other capabilities include defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, among others.
The malware can be password-protected. For authentication, it displays a Not Found page with a hidden login form. Other capabilities of Ensiko include:
Priv Index: Download ensikology.php from pastebinRansomware: Encrypt files using RIJNDAEL 128 with CBC modeCGI Telnet: Download CGI-telnet version 1.3 from pastebin;CGI-Telnet is a CGI script that allows you to execute commands on your web server.Reverse Shell: PHP Reverse shellMini Shell 2: Drop Mini Shell 2 webshell payload in ./tools_ensikology/IndoXploit: Drop IndoXploit webshell payload in ./tools_ensikology/Sound Cloud: Display sound cloudRealtime DDOS Map: Fortinet DDoS mapEncode/Decode: Encode/decode string bufferSafe Mode Fucker: Disable PHP Safe ModeDir Listing Forb ..
Support the originator by clicking the read the rest link below.
