Ensiko: A Webshell With Ransomware Capabilities

By Aliakbar Zahravi 

Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine.

It can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell. It is capable of scanning servers for the presence of other webshells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.

Technical Details

Webshell Authentication

The malware has the ability to be password-protected. For authentication, the malware displays a Not Found page with a hidden login form as seen in the next two figures:

Figure 1. Not Found page and hidden login form

Figure 2. PHP code for password authentication

The password for this sample is “RaBiitch”, while the following figure shows captured network traffic for an authentication request to the web shell panel:

Figure 3. Captured network traffic

Figure 4. Appearance of Ensikology webshell

Webshell features

The following is a list of Ensiko’s capabilities:

FeaturesDescription
Priv IndexDownload ensikology.php from pastebin
RansomewareEncrypt files using RIJNDAEL 128 with CBC mode
CGI TelnetDownload CGI-telnet version 1.3 from pastebin;

CGI-Telnet is a CGI script that allows you to execute commands on your web server.

Reverse ShellPHP Reverse shell
Mini Shell 2Drop Mini Shell 2 webshell payload in ./tools_ensikology/
IndoXploitDrop IndoXploit webshell payload in ./tools_ensikology/
Sound CloudDisplay sound cloud
Realtime DDOS MapFortinet DDoS map
Encode/DecodeEncode/decode string buffer
Safe Mode FuckerDisable PHP Safe Mode
Dir Listing ForbiddenTurn off directory indexes
Mass MailerMail Bombing
cPanel CrackBrute-force cPanel, ftp, and telnet
Backdoor ScanCheck remote server for existing web shell
Exploit DetailsDisplay system information and versioning
Remote Server ScanCheck remote server for existing web shell
Remote File DownloaderDownload file from remote server via CURL or wget
Hex Encode/DecodeHex Encode/Decode
FTP Anonymous Access ScanerSearch for Anonymous FTP
Mass DefaceDefacement
Config GrabberGrab system configuration such as “/etc/passwd”
SymLinklink
Cookie HijackSession hijacking
Secure ShellSSH Shell
Mass OverwriteRewrite or append data to the specified file type.
FTP ManagerFTP Manager
Check SteganologerDetects images with EXIF header
AdminerDownload Adminer PHP database management into the ./tools_ensikology/
PHP InfoInformation about PHP’s configuration
Byksw TranslateCharacter replacement
SuicideSelf-delete

Figure 5. Code listing Ensiko features (Click to enlarge)

Ransomware Analysis

The malware uses PHP RIJNDAEL_128 with CBC mode to encrypt files in a web shell directory and subdirectories and appends filenames with the “.bak” extension. The following code snippet demonstrates this behavior of the malware:

Figure 6. Code showing encryption behavior (Click to enlarge)

Figure 7. Encryption and decryption code (Click to enlarge)

Figure 8. Webshell portion with ransomware key

Figure 9. Log of files being encrypted (Click to enlarge)

Figure 10. Encrypted files in directory

Figure 11. POST request to affected server

The malware also drops an index.php file and sets it as the default page using a .htaccess file; the attacker is also notified of this action via email. The following code snippet shows this behavior:

Figure 12. Code snippet for dropped .htaccess page

Figure 13. The notification that appears when index.php is accessed

Figure 14. Appearance of index.php page

Figure 15. Encoded form of index.php

Figure 16. Decoded appearance of index.php

Tool set

To carry out more tasks on an infected system, the malware can load various additional tools onto an infected system. Most of these tools are loaded from Pastebin. The malware creates a directory called tools_ensikology to store these tools.

Figure 17. Tools loaded from Pastebin

Steganologer

There is a technique in which a malicious actor hides code within the exchangeable image file format (EXIF) headers of an image file and uses a PHP function called exif_read_data to extract and run this code on an affected server. The steganologer function identifies images with EXIF headers and labels them as a logger. In the following screenshot, test1.jpg and test2.jpg both have EXIF headers with hidden code and are identified s.

Figure 18. Files with hidden code

Figure 19. Code for identifying files with hidden executable code

Backdoor Scan

A backdoor scan checks a given remote host for the existence of a webshell from a hardcoded list.

Figures 20 and 21. Code for finding other webshells on affected server

Remote server scan

Like a backdoor scan, the remote server scan function-checks the remote server for the presence of other web shells. However, instead of using a hardcoded list, it accepts manual input for files to be searched for:

Figures 22 and 23. Interface and code for checking for other webshells

Mass Overwrite

The Mass Overwrite function can rewrite/append the content of all files with specified extensions and directories, including all subdirectories of a web shell.

Figures 24 and 25. User interface and code for overwriting files

Conclusion

Ensiko is a web shell used by an attacker that enables remote administration, file encryption, and many more features on a compromised web server. A common method to deploy web shell is exploiting web application vulnerabilities or *gaining access to an already compromised server. Additionally, Ensiko has ransomware capability to encrypt files on an infected web server using the RIJNDAEL encryption algorithm. It is also capable of scanning servers for the presence of other web shells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, gaining access to databases, running brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.

Indicators of Compromise

SHA-256 HashTrend Micro Detection Name
5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5Trojan.PHP.WEBSHELL.SBJKSJ

 

The post Ensiko: A Webshell With Ransomware Capabilities appeared first on .