By Aliakbar Zahravi
Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine.
It can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell. It is capable of scanning servers for the presence of other webshells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.
Webshell Authentication
The malware has the ability to be password-protected. For authentication, the malware displays a Not Found page with a hidden login form as seen in the next two figures:
Figure 1. Not Found page and hidden login form
Figure 2. PHP code for password authentication
The password for this sample is “RaBiitch”, while the following figure shows captured network traffic for an authentication request to the web shell panel:
Figure 3. Captured network traffic
Figure 4. Appearance of Ensikology webshell
Webshell features
The following is a list of Ensiko’s capabilities:
Features
Description
Priv Index
Download ensikology.php from pastebin
Ransomeware
Encrypt files using RIJNDAEL 128 with CBC mode
CGI Telnet
Download CGI-telnet version 1.3 from pastebin;
CGI-Telnet is a CGI s ..
Support the originator by clicking the read the rest link below.
