Free Converter Software – Convert Any System from Clean to Infected in Seconds

Summary

Malvertising campaigns on legitimate sites are pushing fake “converter” utilities that look harmless but install persistent remote-access malware in the background. Once executed, the installer typically drops backdoor components into %LocalAppData% and creates scheduled tasks that repeatedly launch the payload, ensuring the attacker retains access across reboots. The operation relies on a rotating set of look-alike domains, code-signed (but malicious) binaries, and a straightforward HTTP-based command-and-control workflow. Defenders can prioritize detection on anomalous scheduled-task creation, suspicious execution from user-writable paths, and outbound traffic to the identified C2 infrastructure.

Investigation

Researchers reconstructed the infection path from malicious Google ads to landing pages hosted on spoofed domains such as pokemoninfinitefusion.net, convertyfileapp.com, and conmateapp.com, which ultimately deliver the final payloads. The delivered binaries are .NET executables signed with stolen certificates, and they establish persistence by creating a scheduled task that runs UpdateRetriever.exe from %LocalAppData%. Telemetry showed the malware periodically contacting confetly.com to retrieve updates or instructions. Analysts also validated associated file-system and configuration artifacts, including an id.txt marker and the scheduled task definitions used to keep the backdoor active.

Mitigation

Enable and operationalize logging for scheduled-task creation (Security Event ID 4698) and registry modification telemetry (for example, Sysmon Event ID 13). Reduce execution risk by blocking or tightly controlling process launches from %LocalAppData% using AppLocker or WDAC, and alert on scheduled tasks that point to user-writable directories. Treat suspicious or newly observed code-signing certificates as high risk—revoke or block them where possible—and add domain controls for the known malicious infrastructure. At the network layer, deploy detections for outbound HTTP activity to confetly.com and related URL patterns, and consider preventing direct-to-internet traffic from user workstations when feasible.

Response

When a suspicious scheduled task is detected—or when executables are observed running from %LocalAppData%—isolate the endpoint and preserve evidence (task XML, dropped binaries, and relevant proxy/DNS logs). Block confetly.com and any related infrastructure immediately to interrupt command-and-control. Remove the malicious scheduled task, eradicate payload artifacts, and perform full endpoint remediation to confirm no secondary persistence remains. Finally, run an enterprise-wide hunt for the same indicators (task names/paths, UpdateRetriever.exe, id.txt, and the listed domains) to scope additional impacted systems.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:
  An attacker who has already obtained local system access wishes to maintain persistence across reboots. They decide to abuse the Windows Task Scheduler’s registry backend because it is a “living‑off‑the‑land” method that avoids creating new executable files. Using reg.exe, they add a new task definition directly under the TaskCacheTasks hive, pointing to a malicious payload located in %LocalAppData%. This write generates a Sysmon Event 13 with a RegistryPath matching the rule’s selector, causing the alert to fire.

• Regression Test Script:

  # -------------------------------------------------------------------------
  # PowerShell script to simulate T1547.014 / T1574.014 – Scheduled Task persistence
  # -------------------------------------------------------------------------
  
  # Variables
  $taskGuid = [guid]::NewGuid().ToString("B").ToUpper()   # e.g. {A1B2C3D4-...}
  $payload  = "$env:LOCALAPPDATAmalwareevil.exe"
  $regPath  = "HKLM:SoftwareMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks$taskGuid"
  
  # Ensure payload directory exists (simulated)
  New-Item -Path (Split-Path $payload) -ItemType Directory -Force | Out-Null
  # (In a real attack, the malicious binary would be dropped here)
  
  # Create the registry key for the scheduled task
  New-Item -Path $regPath -Force | Out-Null
  
  # Populate minimal required values (Task XML would be far larger; we keep it simple)
  New-ItemProperty -Path $regPath -Name "Path"          -Value $payload -PropertyType String -Force | Out-Null
  New-ItemProperty -Path $regPath -Name "Id"            -Value $taskGuid -PropertyType String -Force | Out-Null
  New-ItemProperty -Path $regPath -Name "SecurityDescriptor"
      -Value "O:BAG:SYD:(A;;FA;;;SY)(A;;FA;;;BA)" -PropertyType String -Force | Out-Null
  
  Write-Host "[+] Registry task written to $regPath – detection rule should fire."

• Cleanup Commands:

  # Remove the malicious scheduled‑task registry entry
  $taskGuid = (Get-ItemProperty -Path "HKLM:SoftwareMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks*").Id
  $regPath  = "HKLM:SoftwareMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks$taskGuid"
  Remove-Item -Path $regPath -Recurse -Force
  
  # Optionally remove the dummy payload
  Remove-Item -Path "$env:LOCALAPPDATAmalware" -Recurse -Force
  Write-Host "[+] Cleanup completed."