Ensiko Remote Shell

Ensiko is a PHP web shell that appears to have been created by an unidentified Indonesian threat actor.

Primarily used to perform ransomware attacks against vulnerable web systems, it has a host of additional functionality that can be deployed by it’s operators.

Once delivered, Ensiko will attempt to scan the affected system for other web shells, sending details of any found along with system information to a command and control server. It then connects to a PasteBin site to load several additional tools.

Ensiko’s primary function appears to be as a ransomware tool. Files are targeted using a list provided from the C2 server and are encrypted using the Rijndeal-128 algorithm in CBC mode. Encrypted files are then appended with the extension .bak.

The following is a list of Ensiko’s capabilities:

FeaturesDescription
Priv IndexDownload ensikology.php from pastebin
RansomewareEncrypt files using RIJNDAEL 128 with CBC mode
CGI TelnetDownload CGI-telnet version 1.3 from pastebin;CGI-Telnet is a CGI script that allows you to execute commands on your web server.
Reverse ShellPHP Reverse shell
Mini Shell 2Drop Mini Shell 2 webshell payload in ./tools_ensikology/
IndoXploitDrop IndoXploit webshell payload in ./tools_ensikology/
Sound CloudDisplay sound cloud
Realtime DDOS MapFortinet DDoS map
Encode/DecodeEncode/decode string buffer
Safe Mode FuckerDisable PHP Safe Mode
Dir Listing ForbiddenTurn off directory indexes
Mass MailerMail Bombing
cPanel CrackBrute-force cPanel, ftp, and telnet
Backdoor ScanCheck remote server for existing web shell
Exploit DetailsDisplay system information and versioning
Remote Server ScanCheck remote server for existing web shell
Remote File DownloaderDownload file from remote server via CURL or wget
Hex Encode/DecodeHex Encode/Decode
FTP Anonymous Access ScanerSearch for Anonymous FTP
Mass DefaceDefacement
Config GrabberGrab system configuration such as “/etc/passwd”
SymLinklink
Cookie HijackSession hijacking
Secure ShellSSH Shell
Mass OverwriteRewrite or append data to the specified file type.
FTP ManagerFTP Manager
Check SteganologerDetects images with EXIF header
AdminerDownload Adminer PHP database management into the ./tools_ensikology/
PHP InfoInformation about PHP’s configuration
Byksw TranslateCharacter replacement
SuicideSelf-delete

Further information – https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/

Indicators of compromise

SHA 256

5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: