Ensiko Remote Shell

Ensiko is a new PHP web shell seemingly created by an unidentified Indonesian threat actor. Primarily used to perform ransomware attacks against vulnerable web systems, it has a host of additional functionality that can be deployed by it's operators.

Threat ID:: CC-3581
Category:: Backdoor, Ransomware
Threat Severity:: Medium
Threat Vector:: Download, Exploit kit, Insecure network
Published:: 30 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all

Microsoft Windows

Versions: all

macOS

Versions: most popular distributions

Linux

Threat details

Introduction

Ensiko is a newly observed remote shell malware targeting Windows, Linux, macOS systems worldwide. Written in PHP, it has wide variety of capabilities including payload delivery, keylogging, password extraction, and file encryption.

Delivery

At the time of publication, it is unclear how Ensiko is distributed. However, it is able to send mass emails and can brute-force cPanel, FTP, and Telnet services, raising the possibility it may be delivered in spam campaigns or directly from previously compromised systems.

Activities

Once delivered, Ensiko will attempt to scan the affected system for other web shells, sending details of any found along with system information to a command and control server. It then connects to a PasteBin site to load several additional tools.

Ensiko's primary function appears to be as a ransomware tool. Files are targeted using a list provided from the C2 server and are encrypted using the Rijndeal-128 algorithm in CBC mode. Encrypted files are then appended with the extension .bak.

Extensive additional functionality is provided by the tools Ensiko download from PasteBin, including:

Credential extraction
Session hijacking
Payload delivery
File download, upload, and execution
Denial-of-service
Brute-force attacks
Website defacement
SSH shell creation

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Host indicators

SHA256 hashes

5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5

Last edited: 30 July 2020 3:21 pm