Ensiko Web Shell Overview
This threat report is about the Ensiko web shell which has a variety of operational capacities, and provides actionable intelligence on how to protect against it. The web shell is multi-platform, infecting Windows, Linux, and MacOS computers. If the system has PHP installed, the malware can infect the host.
Ensiko Tactics, Techniques, and Procedures
The Ensiko web shell can gain access to web servers through vulnerable applications or attacking already compromised servers. Once the malware is deployed, it can download more functionality from Pastebin or perform mass encryption on the affected web server via ransomware.
The ransomware component uses RIJNDAEL_128 with CBC mode to encrypt files and overwrites the .htaccess to set a new home page. The new home page is the hacker’s calling card with a reference to the group name and their symbol which is an owl.
The new home page has highly obfuscated code using Base64. The ransomware appends all files with the .bak file extension.
The next unique functionality is the ability to pull exchangeable image file format (EXIF) headers from image files. This allows the malware to pull hidden code from three images using a PHP function called exif_read_data. The technique is referred to as steganography which is a useful way to obfuscate the operational components of the malware.
How this Affects You
Infection by Ensiko may result in the following:
- Propagation of malware
- Data loss due to ransomware
- Loss of reputation due to defacing of the corporate website
What you Can do
Avertium strongly recommends you take the following actions to protect against the Ensiko web shell:
- Keep your web applications up to date and secured behind a firewall
- Perform file integrity monitoring on your web servers to detect the presence of web shells or website defacing attempts
- Place the web server behind an intrusion prevention system to block common attack methods
Sources and Supporting Documentation
Ensiko Web Shell Information Sources
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!