This threat report is about the Ensiko web shell which has a variety of operational capacities and provides actionable intelligence on how to protect against it. The web shell is multi-platform, infecting Windows, Linux, and macOS computers. If the system has PHP installed, the malware can infect the host.
The Ensiko web shell can gain access to web servers through vulnerable applications or attacking already compromised servers. Once the malware is deployed, it can download more functionality from Pastebin or perform mass encryption on the affected webserver via ransomware.
The ransomware component uses RIJNDAEL_128 with CBC mode to encrypt files and overwrites the .htaccess to set a new home page. The new home page is the hacker's calling card with a reference to the group name and their symbol which is an owl.
The new home page has highly obfuscated code using Base64. The ransomware appends all files with the .bak file extension.
The next unique functionality is the ability to pull exchangeable image file format (EXIF) headers from image files. This allows the malware to pull hidden code from three images using a PHP function called exif_read_data. The technique is referred to as steganography which is a useful way to obfuscate the operational components of the malware.
Infection by Ensiko may result in the following:
Avertium strongly recommends you take the following actions to protect against the Ensiko web shell:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!