Ensiko Web Shell Overview

This threat report is about the Ensiko web shell which has a variety of operational capacities and provides actionable intelligence on how to protect against it. The web shell is multi-platform, infecting Windows, Linux, and macOS computers. If the system has PHP installed, the malware can infect the host.

Ensiko Tactics, Techniques, and Procedures

The Ensiko web shell can gain access to web servers through vulnerable applications or attacking already compromised servers. Once the malware is deployed, it can download more functionality from Pastebin or perform mass encryption on the affected webserver via ransomware.

The ransomware component uses RIJNDAEL_128 with CBC mode to encrypt files and overwrites the .htaccess to set a new home page. The new home page is the hacker's calling card with a reference to the group name and their symbol which is an owl.

The new home page has highly obfuscated code using Base64. The ransomware appends all files with the .bak file extension.

The next unique functionality is the ability to pull exchangeable image file format (EXIF) headers from image files. This allows the malware to pull hidden code from three images using a PHP function called exif_read_data. The technique is referred to as steganography which is a useful way to obfuscate the operational components of the malware.

How this Affects You

Infection by Ensiko may result in the following:

  • Propagation of malware
  • Data loss due to ransomware
  • Loss of reputation due to the defacing of the corporate website

What you Can do

Avertium strongly recommends you take the following actions to protect against the Ensiko web shell:

  • Keep your web applications up to date and secured behind a firewall
  • Perform file integrity monitoring on your web servers to detect the presence of web shells or website defacing attempts
  • Place the webserver behind an intrusion prevention system to block common attack methods

Sources and Supporting Documentation

Ensiko Web Shell Information Sources

MITRE Mapping(s)

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed security service capabilities. 

msp siem

Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!

Chat With One of Our Experts

Threat Report Ensiko web shell Ransomware Attacks Blog