Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments

The activities observed are the following:

— File is downloaded from conmateapp[.]com or
trm[.]conmateapp[.]com (OSINT suggests that these are downloaded through ads but this has not been confirmed)
— Upon execution, the file initiates connections to external IP addresses.
— The file performs host queries.
— It creates several artifacts: updating_files.zip, native.zip, UpdateRetriever.exe and conmate_update.ps1
— The PowerShell script (conmate_update.ps1) is executed immediately upon creation, adding UpdateRetriever.exe to scheduled tasks set to run every 24 hours.
— When triggered by the scheduled task, UpdateRetriever.exe repeats the external connection and host query behavior, then connects to one of the following domains (currently known):
confetly[.]com
climatcon[.]com
conmateapp[.]com
chrialletworton[.]com
banifuri[.]com
dcownil[.]com
vo[.]takelecon[.]com

This activity closely resembles the tactics observed in the “PDFEditor” campaign detailed in this article two months ago. Notably, both files are signed by the same entity, AMARYLLIS SIGNAL LTD[1], which further strengthens the link between these campaigns.

The combination of suspicious activities and the reuse of a known certificate strongly suggests that “ConvertMate” is not a legitimate PDF converter. Instead, it likely serves as an initial vector for malicious activity, similar to the previously documented “PDFEditor” campaign.

IOCs has been added for continuous threat hunting for Truesec SOC customers.
A custom detection rule designed to identify malicious signers is currently being tested.

Recommended Actions

Truesec recommends immediate isolation and removal of the software and related artifacts (UpdateRetriever.exe, conmate_update.ps1, updating_files.zip, native.zip).

Alerted hosts handled by Truesec SOC has and will continuously be isolated and customers will be notified via Incident Reports and/or in accordance with the stated communication channels between Truesec and the customer.

Truesec also recommends conducting internal training and awareness sessions for end users, so they can learn to recognize malicious ads and suspicious files and avoid downloading them. This proactive approach helps reduce the risk of similar incidents in the future.

Detection

Observed files and sha256 hashes:

conmate_update.ps1: 372d89d7dd45b2120f45705a4aa331dfff813a4be642971422e470eb725c4646
ConvertMate.exe: 08b9f93000512b45f8c2e8d3d6624536b366e67c40fd4b958db58e3a1d129c3d
Convert Mate.exe: d9f9584f4f071be9c5cf418cae91423c51d53ecf9924ed39b42028d1314a2edc
UpdateRetreiver.exe: 09c2af472ab86b62a702e94a39df2bef09205f4249ed871cbeece751c1e7ef4f

Observed download URLs:

conmateapp[.]com
trm[.]conmateapp[.]com

Observed outbound connection URLs:

confetly[.]com
climatcon[.]com
conmateapp[.]com
chrialletworton[.]com
banifuri[.]com
dcownil[.]com
vo[.]takelecon[.]com

References

[1] https://raw.githubusercontent.com/LindenSec/IoC/refs/heads/main/PDFEditorManualFinder/signers.txt