Ensiko Remote Shell
Ensiko is a PHP web shell that appears to have been created by an unidentified Indonesian threat actor.
Primarily used to perform ransomware attacks against vulnerable web systems, it has a host of additional functionality that can be deployed by it’s operators.
Once delivered, Ensiko will attempt to scan the affected system for other web shells, sending details of any found along with system information to a command and control server. It then connects to a PasteBin site to load several additional tools.
Ensiko’s primary function appears to be as a ransomware tool. Files are targeted using a list provided from the C2 server and are encrypted using the Rijndeal-128 algorithm in CBC mode. Encrypted files are then appended with the extension .bak.
The following is a list of Ensiko’s capabilities:
| Features | Description |
| Priv Index | Download ensikology.php from pastebin |
| Ransomeware | Encrypt files using RIJNDAEL 128 with CBC mode |
| CGI Telnet | Download CGI-telnet version 1.3 from pastebin;CGI-Telnet is a CGI script that allows you to execute commands on your web server. |
| Reverse Shell | PHP Reverse shell |
| Mini Shell 2 | Drop Mini Shell 2 webshell payload in ./tools_ensikology/ |
| IndoXploit | Drop IndoXploit webshell payload in ./tools_ensikology/ |
| Sound Cloud | Display sound cloud |
| Realtime DDOS Map | Fortinet DDoS map |
| Encode/Decode | Encode/decode string buffer |
| Safe Mode Fucker | Disable PHP Safe Mode |
| Dir Listing Forbidden | Turn off directory indexes |
| Mass Mailer | Mail Bombing |
| cPanel Crack | Brute-force cPanel, ftp, and telnet |
| Backdoor Scan | Check remote server for existing web shell |
| Exploit Details | Display system information and versioning |
| Remote Server Scan | Check remote server for existing web shell |
| Remote File Downloader | Download file from remote server via CURL or wget |
| Hex Encode/Decode | Hex Encode/Decode |
| FTP Anonymous Access Scaner | Search for Anonymous FTP |
| Mass Deface | Defacement |
| Config Grabber | Grab system configuration such as “/etc/passwd” |
| SymLink | link |
| Cookie Hijack | Session hijacking |
| Secure Shell | SSH Shell |
| Mass Overwrite | Rewrite or append data to the specified file type. |
| FTP Manager | FTP Manager |
| Check Steganologer | Detects images with EXIF header |
| Adminer | Download Adminer PHP database management into the ./tools_ensikology/ |
| PHP Info | Information about PHP’s configuration |
| Byksw Translate | Character replacement |
| Suicide | Self-delete |
Further information – https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/
Indicators of compromise
SHA 256
5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.