Ensiko malware encrypts files on Windows, macOS and Linux

Web servers are a preferred target. Ensiko has numerous functions. Among other things, the malware obtains new code via Pastebin, starts brute force attacks on FTP and Telnet or overwrites certain file types.

Trend Micro researchers have discovered new multifunctional malware. The malware called Ensiko is able, among other things, to encrypt files on any operating system that runs PHP. This makes Ensiko a major threat to web servers that run on Windows, macOS and Linux, as Bleeping Computer reports.

Malware (picture Shutterstock)Ensiko is primarily a web shell written in PHP. It allows attackers to remotely control a compromised system and perform malicious actions. The encryption function gives Ensiko the capabilities of ransomware.

According to the researchers, the malware encrypts files with a symmetrical Rijnadel-128 code. Encrypted files have the extension BAK.

The backers hide the login to the Web Shell in a “Not Found” error page. However, the researchers managed to crack the required access key. Ensiko also loads new functions via Pastebin. Among them is a feature called Steganologer that allows hackers to hide and insert code in images, which can then be executed on the compromised server.

Ensiko should also be able to check whether a certain web shell already exists on the remote host. A search function called Remote File Check finds any files on the remote system. In addition, Ensiko can overwrite any files with a certain file extension in a WebShell directory.

The malware is also suitable for brute force attacks in order to obtain login data for FTP and Telnet. The range of functions also includes bulk e-mails, the display of system information, the download of files, the transfer of websites and an FTP manager. A function called suicide deletes Ensiko from a compromised system.


Leave a Reply

Your email address will not be published. Required fields are marked *