Trend Micro researchers have discovered new multifunctional malware. The malware called Ensiko is able, among other things, to encrypt files on any operating system that runs PHP. This makes Ensiko a major threat to web servers that run on Windows, macOS and Linux, as Bleeping Computer reports.
Ensiko is primarily a web shell written in PHP. It allows attackers to remotely control a compromised system and perform malicious actions. The encryption function gives Ensiko the capabilities of ransomware.
According to the researchers, the malware encrypts files with a symmetrical Rijnadel-128 code. Encrypted files have the extension BAK.
The backers hide the login to the Web Shell in a “Not Found” error page. However, the researchers managed to crack the required access key. Ensiko also loads new functions via Pastebin. Among them is a feature called Steganologer that allows hackers to hide and insert code in images, which can then be executed on the compromised server.
Ensiko should also be able to check whether a certain web shell already exists on the remote host. A search function called Remote File Check finds any files on the remote system. In addition, Ensiko can overwrite any files with a certain file extension in a WebShell directory.
The malware is also suitable for brute force attacks in order to obtain login data for FTP and Telnet. The range of functions also includes bulk e-mails, the display of system information, the download of files, the transfer of websites and an FTP manager. A function called suicide deletes Ensiko from a compromised system.