• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Skimmers in Images & GitHub Repos
July 28, 2020
Rewterz Threat Alert – QSnatch malware Targeting QNAP NAS Devices
July 28, 2020

Rewterz Threat Alert – Ensiko Webshell With Ransomware Capabilities

July 28, 2020

Severity

High

Analysis Summary

Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. It can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell. It is capable of scanning servers for the presence of other webshells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.

The malware uses PHP RIJNDAEL_128 with CBC mode to encrypt files in a web shell directory and subdirectories and appends filenames with the “.bak” extension. 

ensiko10.png

The malware also drops an index.php file and sets it as the default page using a .htaccess file; the attacker is also notified of this action via email.

To carry out more tasks on an infected system, the malware can load various additional tools onto an infected system. Most of these tools are loaded from Pastebin. The malware creates a directory called tools_ensikology to store these tools.

ensiko17-640x467.png

There is a technique in which a malicious actor hides code within the exchangeable image file format (EXIF) headers of an image file and uses a PHP function called exif_read_data to extract and run this code on an affected server. The steganologer function identifies images with EXIF headers and labels them as a logger.

ensiko18.png

Impact

  • Execute shell commands
  • File downloading 
  • Scanning servers
  • Information disclosure

Indicators of Compromise

MD5

  • 3471bd4d40f8f826caa76622f4b08b0e

SHA-256

  • 5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5

SHA1

  • 40f569a58cfcd15ba9593afe5c1e808130b0d68c

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment. 
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.