Truesec observed a malicious installer distributed from conmateapp[.]com that drops UpdateRetriever.exe and conmate_update.ps1, creates artifacts (updating_files.zip, native.zip), schedules a recurring task, and connects to multiple hardcoded C2 domains. The campaign reuses a signing certificate issued to AMARYLLIS SIGNAL LTD and closely mirrors the earlier PDFEditor activity; Truesec published updated IOCs and hashes and recommends isolating/removing the software and blacklisting the listed domains. #ConvertMate #UpdateRetriever_exe #AMARYLLIS_SIGNAL_LTD #PDFEditor
Keypoints
- Malicious installer downloaded from conmateapp[.]com (and trm.conmateapp[.]com) initiates external connections and performs host queries upon execution.
- The dropper creates artifacts including updating_files.zip, native.zip, UpdateRetriever.exe and conmate_update.ps1, and executes the PowerShell script immediately.
- conmate_update.ps1 adds UpdateRetriever.exe to scheduled tasks to run every 24 hours, providing persistence and repeated C2 callbacks.
- UpdateRetriever.exe and related binaries connect to multiple hardcoded domains (e.g., confetly[.]com, climatcon[.]com) acting as C2 endpoints.
- Files from this campaign are signed by the same entity (AMARYLLIS SIGNAL LTD), linking the activity to the prior PDFEditor campaign.
- Truesec published IOCs and updated SHA256 hashes, recommended isolation/removal, blacklisting of C2 domains, and is testing a detection rule for malicious signers.
MITRE Techniques
- [T1105 ] Ingress Tool Transfer โ The installer is retrieved from attacker-controlled URLs, enabling payload delivery (โFile is downloaded from conmateapp[.]com ortrm[.]conmateapp[.]comโ).
- [T1059.001 ] PowerShell โ A PowerShell script is created and executed to install and schedule the updater (โThe PowerShell script (conmate_update.ps1) is executed immediately upon creationโ).
- [T1053.005 ] Scheduled Task/Job โ Persistence is achieved by adding UpdateRetriever.exe to scheduled tasks set to run every 24 hours (โadding UpdateRetriever.exe to scheduled tasks set to run every 24 hours.โ).
- [T1071 ] Application Layer Protocol (C2) โ Binaries perform outbound connections to hardcoded C2 domains to receive instructions or exfiltrate data (โthen connects to one of the following domains (currently known):confetly[.]comclimatcon[.]comโฆโ).
- [T1046 ] Network Service Discovery โ The malware performs host queries, indicating discovery of network/host information (โThe file performs host queries.โ).
- [T1553.002 ] Code Signing โ The use of a reused certificate links campaigns and may be used to lend legitimacy to signed binaries (โboth files are signed by the same entity, AMARYLLIS SIGNAL LTDโ).
Indicators of Compromise
- [File Hash ] observed malicious binaries and scripts โ 372d89d7dd45b2120f45705a4aa331dfff813a4be642971422e470eb725c4646 (conmate_update.ps1), 08b9f93000512b45f8c2e8d3d6624536b366e67c40fd4b958db58e3a1d129c3d (ConvertMate.exe), and other 4 hashes.
- [File Name ] created or observed on disk โ UpdateRetriever.exe, conmate_update.ps1, and other files such as updating_files.zip and native.zip.
- [Download URL ] suspected distribution points โ conmateapp[.]com, trm.conmateapp[.]com (OSINT suggests delivery via ads), and runeton[.]com/clic? (observed in a follow-up sample).
- [Outbound Domain ] hardcoded C2 and callback domains โ confetly[.]com, climatcon[.]com, conmateapp[.]com, and other 8 domains observed across samples.
- [Registry Key ] persistence artifact location โ HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTreeConvertMateTask, and additional TaskCache keys for PDC_Update and related tasks.