18 C
Jaipur
Saturday, October 31, 2020

A PHP Based Web Shell with Ransomware Capabilities

Must read

Here’s the first IR night-vision rugged smartphone – shame about the screen resolution

Doogee S96 Pro - $239.99 pre-order at Aliexpress(£191.06/AU$431.93)The latest rugged smartphone from Doogee is now available to pre-order. Its main selling point is a...

Facebook Taken Down Number of Political ads due to Technical Flaws

Facebook on Thursday acknowledged that a technical error in its systems caused a variety of ads from both political parties to be improperly paused....

This is the cheapest 4K laptop right now, by a mile

Chuwi AeroBook Plus 4K laptop - $559.99 at BanggoodThis laptop from little-known manufacturer Chuwi is the most affordable 4K machine on the market. It...

Researchers observed a new PHP web shell dubbed Ensiko with ransomware capabilities that attack PHP installed on platforms such as Linux, Windows, macOS, and others.

The malware is capable of providing remote access and accepts commands from the attacker via a PHP reverse shell.

Security researchers from Trend Micro observed that the malware scans infected servers for the presence of other webshells, defacing websites, sending mass emails, downloading remote files, disclosing information about the affected server, brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.

Webshell With Ransomware Capabilities

The malware is password-protected, it displays a not found page with a hidden login form. It uses RIJNDAEL_128 with CBC mode to encrypt files in the web directories and appends the “.bak” extension.

Hidden Login

It also drops an index.php file and sets it as the default page using a .htaccess file, the malware also loads additional tools onto an infected system.

Changed Index file

Following are the Ensiko’s capabilities;

Features Description
Priv Index Download ensikology.php from pastebin
Ransomeware Encrypt files using RIJNDAEL 128 with CBC mode
CGI Telnet Download CGI-telnet version 1.3 from pastebin;CGI-Telnet is a CGI script that allows you to execute commands on your web server.
Reverse Shell PHP Reverse shell
Mini Shell 2 Drop Mini Shell 2 webshell payload in ./tools_ensikology/
IndoXploit Drop IndoXploit webshell payload in ./tools_ensikology/
Sound Cloud Display sound cloud
Realtime DDOS Map Fortinet DDoS map
Encode/Decode Encode/decode string buffer
Safe Mode Fucker Disable PHP Safe Mode
Dir Listing Forbidden Turn off directory indexes
Mass Mailer Mail Bombing
cPanel Crack Brute-force cPanel, ftp, and telnet
Backdoor Scan Check remote server for existing web shell
Exploit Details Display system information and versioning
Remote Server Scan Check remote server for existing web shell
Remote File Downloader Download file from remote server via CURL or wget
Hex Encode/Decode Hex Encode/Decode
FTP Anonymous Access Scaner Search for Anonymous FTP
Mass Deface Defacement
Config Grabber Grab system configuration such as “/etc/passwd”
SymLink link
Cookie Hijack Session hijacking
Secure Shell SSH Shell
Mass Overwrite Rewrite or append data to the specified file type.
FTP Manager FTP Manager
Check Steganologer Detects images with EXIF header
Adminer Download Adminer PHP database management into the ./tools_ensikology/
PHP Info Information about PHP’s configuration
Byksw Translate Character replacement
Suicide Self-delete

The threat actor also employees the steganography technique to hide code within the exchangeable image file format (EXIF) headers of an image file.

Webshell Interface

The malware also includes two scanning methods;

Backdoor Scan – Scans for the existence of a web shell from a hardcoded list.

Remote server scan – Checks infected web server for the presence of other web shells.

Also it employees a function Mass Overwrite that used to rewrite/append the content of all files with directories and subdirectories.

By injecting an Ensiko web shell attacker can enable remote administration, file encryption, and many more features on a compromised web server.

IoC

SHA-256 Hash

5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

APT Group Actively Exploiting Internet-facing Vulnerable ColdFusion Server and Uploading Webshell

APT 34 Hackers Group Owned Hacking Tools, Webshell, Malware Code, C2 Servers IP Leaked in Telegram

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

Here’s the first IR night-vision rugged smartphone – shame about the screen resolution

Doogee S96 Pro - $239.99 pre-order at Aliexpress(£191.06/AU$431.93)The latest rugged smartphone from Doogee is now available to pre-order. Its main selling point is a...

Facebook Taken Down Number of Political ads due to Technical Flaws

Facebook on Thursday acknowledged that a technical error in its systems caused a variety of ads from both political parties to be improperly paused....

This is the cheapest 4K laptop right now, by a mile

Chuwi AeroBook Plus 4K laptop - $559.99 at BanggoodThis laptop from little-known manufacturer Chuwi is the most affordable 4K machine on the market. It...

These are the nastiest cyber threats this Halloween

To avoid falling victim to a malware infection, users first need to be aware of which malware strains are actively being used by cybercriminals...