The Ensiko Malware
A new type of malware packed with malicious features has recently been reported by security researchers. The threat is named Ensiko and, as per the initial reports, it can encrypt files on practically any system that is running PHP, thereby placing Windows, macOS and Linux at high risk.
The malware is a PHP web shell that malicious actors may use to remotely control a system and execute a variety of destructive actions on the compromised device.
Initial research of the threat reveals that Ensiko has a long list of malicious capabilities. What stands out the most is the file-encryption component that can be used for performing ransomware attacks against various servers.
Trend Micro researchers have taken a deeper look into the malware’s code and have noticed that it uses the symmetric Rijnadel-128 cipher in CBC mode for file encryption. As per their discovery, Ensiko encrypts files in a web shell directory and subdirectories. It also attaches the. BAK file extension to the encrypted data.
The researchers have also found that the malware can use a password for safe access in order to prevent a takeover. It is not easy to authenticate to this web shell, though, as the malware developer has hidden the log in form on a page that is “Not found”.
In order to expand its malicious capabilities even more, Ensiko malware tends to download a set of tools from Pastebin. These tools are stored in a directory named “tools_ensikology” and are loaded as needed.
Another stand-out feature of the malware is the so-called Steganologer. The Steganologer is used in a combination with a method where the malicious actor hides a code in the EXIF header of an image file and uses a PHP function to run this code on the infected system. The role of the Steganologer is to detect such image files with malicious code in their metadata (EXIF headers) and use them as loggers.
The further analysis of researchers from Trend Micro also reveals that Ensiko uses a pre-defined list to check if there’s a web shell on a remote host. One more feature that adds up to the maliciousness of this threat is the so-called Remote File Check. It enables the malicious actor to look for specific files on a remote system. But this is not everything. The Remote File Check feature incorporated in Ensiko may cause overwriting of all files with a given extension in a web shell directory.
The malicious capabilities of Ensiko, however, do not end here. This malware can help attackers to target FTP, cPanel and Telnet, and execute brute force attacks on them, in this way allowing for extended unauthorized access. Additionally, Ensiko is also capable of sending mass emails, defacing websites, downloading remote files, collecting information about the infected server, gaining unauthorized access to databases, and more.