I've seen a lot of chatter on X about ConvertMate.exe
So I took another look at it today.
What it is
This is another file conversion application. It is a .Net application that as the installer drops files into AppData\Local\ConvertMate and creates a scheduled task called ConvertMateTask.
The files it unpacks and drops include a smaller file named Convert Mate.exe (with a space), and id.txt (unique identifier), some supporting dlls, an uninstaller.exe, and UpdateRetreiver.exe.
Red Flags
- Contains reverse strings and simple obfuscation
- launces a PS1 file to create the scheduled task
- Uninstaller and Add/Remove Programs only removes desktop icon and reg key.
- UpdateRetreiver checks in daily and if domain returns response it AES decrypts the response
Interesting strings in ConvertMate installer
this.logicManager.SendPixel("https://banifuri[.]com/pixel");
string text = this.rev("exe.emorhc\\noitacilppA\\emorhC\\elgooG\\)68x( seliF margorP\\:C");
string text2 = this.rev("exe.emorhc\\noitacilppA\\emorhC\\elgooG\\seliF margorP\\:C");
string text3 = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + this.rev("noitacilppA\\emorhC\\elgooG\\"), this.rev("exe.emorhc"));
return File.Exists(text) || File.Exists(text2) || File.Exists(text3);
string text = "p";
string text2 = "o";
string text3 = "w";
string text4 = "e";
string text5 = "r";
string text6 = "s";
string error = "hell";
string text7 = text6;
string text8 = "Us";
char c = 'e';
string text9 = "Sh";
char c2 = 'e';
char c3 = 'l';
char c4 = 'l';
string text10 = "Ex";
char c5 = 'e';
string text11 = "cut";
char c6 = 'e';
string text12 = text11;
char c7 = c5;
string text13 = text10;
char c8 = c4;
string text = this.rev("exe.emorhc\\noitacilppA\\emorhC\\elgooG\\)68x( seliF margorP\\:C");
string text2 = this.rev("exe.emorhc\\noitacilppA\\emorhC\\elgooG\\seliF margorP\\:C");
string text3 = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + this.rev("noitacilppA\\emorhC\\elgooG\\"), this.rev("exe.emorhc"));
return File.Exists(text) || File.Exists(text2) || File.Exists(text3);
string text = "p";
string text2 = "o";
string text3 = "w";
string text4 = "e";
string text5 = "r";
string text6 = "s";
string error = "hell";
string text7 = text6;
string text8 = "Us";
char c = 'e';
string text9 = "Sh";
char c2 = 'e';
char c3 = 'l';
char c4 = 'l';
string text10 = "Ex";
char c5 = 'e';
string text11 = "cut";
char c6 = 'e';
string text12 = text11;
char c7 = c5;
string text13 = text10;
char c8 = c4;
Playing with UpdateRetreiver
I haven't really seen anyone talking about the specifics of this yet. What I do know is that I've seen ConvertMate around for a while, it was flagging some of the same hunting queries as things like zipthis.
I don't know that I ever saw the Update return any data, I would be curious if someone has. The way the functions work in the UpdateRetreiver is you first need a response from confetly[.]com/auth, then if /update is not NULL, the program will attempt to decrypt the payload using AES, the key is a hash of the install date, and the IV is the current date/timestamp.
We can use a tool like Fiddler to create an AutoResponse, so you can generate your own "payload" I used a simple script that can be found on the SecurityMagic github. It wasn't perfect, the padding seems off, but as a "Proof of Concept", this demonstrates the ability for the UpdateRetreiver to return any payload if the connections are all successful.
A screenshot of the benign payload being decrypted (padding or IV are off here)
Example AutoResponder
Example Traffic
Final Thoughts
I can't say weather or not this is any more than PUP, until I see a successful payload pull down from the UpdateRetreiver, and verify it's malicious, I can only say that ConvertMate is suspicious. I would love to get some more information, if anyone has anything to add, please let me know.
Comments
Post a Comment