Rewterz Threat Alert – Skimmers in Images & GitHub Repos
July 28, 2020Rewterz Threat Alert – QSnatch malware Targeting QNAP NAS Devices
July 28, 2020Rewterz Threat Alert – Skimmers in Images & GitHub Repos
July 28, 2020Rewterz Threat Alert – QSnatch malware Targeting QNAP NAS Devices
July 28, 2020Severity
High
Analysis Summary
Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. It can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell. It is capable of scanning servers for the presence of other webshells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.
The malware uses PHP RIJNDAEL_128 with CBC mode to encrypt files in a web shell directory and subdirectories and appends filenames with the “.bak” extension.
The malware also drops an index.php file and sets it as the default page using a .htaccess file; the attacker is also notified of this action via email.
To carry out more tasks on an infected system, the malware can load various additional tools onto an infected system. Most of these tools are loaded from Pastebin. The malware creates a directory called tools_ensikology to store these tools.
There is a technique in which a malicious actor hides code within the exchangeable image file format (EXIF) headers of an image file and uses a PHP function called exif_read_data to extract and run this code on an affected server. The steganologer function identifies images with EXIF headers and labels them as a logger.
Impact
- Execute shell commands
- File downloading
- Scanning servers
- Information disclosure
Indicators of Compromise
MD5
- 3471bd4d40f8f826caa76622f4b08b0e
SHA-256
- 5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5
SHA1
- 40f569a58cfcd15ba9593afe5c1e808130b0d68c
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.