TL;DR
Convert Master is a browser hijacker, delivered via ads, that changes the browsers default search engine – and I’ve observed it using a redirector for the “Retro Revive” fake search engine.
Table of Contents
Tactical Pause
THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.
Summary Up Front
This documents my analysis on the browser hijacker Convert Master. I was served a Google ad for Convert Master when I was looking for info on VA pay. I analyzed it using Any Run and dnSpy. Convert Master creates a desktop link to application.convertmasterapp[.]com for the file conversions. If the user’s browser is FireFox, or the dynamically targeted browser, Convert Master adds a new search engine using dynamically retrieved configs, and sets the new search engine as the default option. The search engine redirects to the “Retro Revive” search engine. Retro Revive is not a real search engine, so it just redirects your searches to another search engine (Yahoo search in my observation).
Intro
I needed to look up some stuff for the VA. I searched for VA Pay and clicked a result for govsalaries[.]com (hxxps://govsalaries[.]com/salaries/FD/department-of-veterans-affairs#google_vignette). After a few seconds, it served the full screen ad seen below.
I used the Google ads link below and ran it in Any Run [1].
hxxps://googleads.g.doubleclick[.]net/aclk?sa=l&ai=CNRdxpSH8aJf2ArvZt7UP75ScUZfGrvWCAeimj5LZFMSEhZ4LEAEg9PnGJWDJ5s2H5KOkF6AB0crPvwHIAQHgAgCoAwHIA0iqBMkCT9DHaJtr6BUrOehoTDdb3Qbiak_gjSVG_APgxPa97JE8Wyb8zsWwqQe97-ezOpO-HSEXHnONkoz7c9BAFKUZcbBY25WJRq5iAvQuGy6fMc5hWjnocY8Evz4EiscUOQnXOX1qWFEypFT5Rv2Fpsm5wJ8JZqgk8xW2mwts4-NYjTHgLtGSG7npmH42xMqhqxjavJEVQ5raDxzzd_Axt4ufcnpPG1WA58GoonOw9eo6vOskTYN6ZVLjK07UWHtW588v_x_d9NiwRpakAu5Kab7cnRIWoVwT4NB6XAHS6nQdSTcG-PwHJh_ncnD8LoMei55wyo20D5wFWnzTEdiOh5JHk47P7Tz8r9gr2AR_C99QCb10KVFdr99UL48c_k6s0C6sW9rul1QvuY1sm7bY2q11_KYt8IFjLYFPjYq1G4mxDMXIX1KgYfFkhZLABNPI1d6yBeAEAYgF4IubpVGgBi6AB5e1sMACqAemvhuoB8zOsQKoB_PRG6gHltgbqAeqm7ECqAeOzhuoB5PYG6gH8OAbqAfulrECqAf-nrECqAevvrECqAfVyRuoB9m2sQKoB5oGqAf_nrECqAffn7ECqAf4wrECqAf7wrEC2AcB0ggvCIBhEAEYnQEyCIqCgICAgIAIOg2AQIDAgICAgKiAAqgDSL39wTpYla33wpO-kAPyCBthZHgtc3Vic3luLTk1Njk5OTQyODk2MjQxOTKxCQxccCpdHKMPgAoDmAsByAsBogwIKgYKBNbasQKqDQJVU8gNAeINEwihkfjCk76QAxW77K0AHW8KJwrqDRMIp-D5wpO-kAMVu-ytAB1vCicK8A0CiA7___________8B2BMMiBQJ0BUByhYCCgD4FgGAFwGyFw4YASoKMzM0NTM4Mzc3NLoXAjgBqhgXCQAAAJyFsJBBEgozMzQ1MzgzNzc0GAGyGAkSArFfGC4iAQDQGAHCGQIIAQ&ae=1&gclid=EAIaIQobChMI19yCw5O-kAMVu-ytAB1vCicKEAEYASAAEgKQLfD_BwE&num=1&cid=CAQSsgEAwksa0Sse-j4mYRv8RtAFe2GxJp1ho1_iYzIM9I3Q3ptMI765oJ6PsIbKHX5KO2U3Z5JHpspA8oSXv2NbPALYYBtYi2XuaAvbTAH3hMd5lL0L3DtNfVEIfr1HEH7dwZ8Lp9hD_YJMHN8coAfbzBq720GQFigRLzyy9Y4grqaswFshex_Sw4e3unc_gscOz_rh6wU56jZz_MpkGXEvvsAnCYLPyqIHoxp90-FQ_0Vgu5pQGAE&sig=AOD64_32hh5qLvyv6z9P4WNi3peHMB1mmA&client=ca-pub-6396844742497208&rf=1&nb=9&adurl=https://convertmasterapp.com/%3Fcampaign_id%3D21821310432%26adgroup_id%3D185418998867%26placement_id%3Dgovsalaries.com%26creative_id%3D763551259624%26utm_source%3Dgoogle_b2c%26gad_source%3D5%26gad_campaignid%3D21821310432%26gclid%3DEAIaIQobChMI19yCw5O-kAMVu-ytAB1vCicKEAEYASAAEgKQLfD_BwEThe snip below shows the landing page. It masquerades as a document converter. I clicked the download button. Note that the checkbox is selected in the snip. You cannot download it if it is unchecked. Spoiler alert, this is a browser hijacker, and I guess that’s how they get away with it – you agree to adjust your default browser setup.
This is a snip of the file downloaded. It’s from the Any Run session, so the popups are above the convertmasterapp.exe downloaded file dialog. You can see in the top popup that it was downloaded from dldthis[.]com. The convertmaster.exe SHA256 is d0c7471c7950b2f80dbf92f929dfb0f10d518b551b326e56e9b2870de90196f3.
The PCAP snips below show the how the dldthis[.]com download URI is built with the downloadEndpoint and the params from the visit_num cookie values.
Execution
When I ran the executable it loaded a view at the top layer. This is so that you can’t see the manual actions they are taking behind the scenes. I say manual, because they perform tasks using the browser and sending key presses.
When the install is completed, there’s a Convert Master shortcut on the desktop. When you click it, you are taken to the online converter hxxps://application.convertmasterapp[.]com/#/. It’s funny how they trick you into downloading and executing a file only to use their online converter – which you shouldn’t use anyway.
I viewed the executable using dnSpy.
Utility Functions
The method P is for sending key presses.
The methods PressKeyDown and PressKeyUp are used to press and release the keys. This is used to perform key combinations like CTRL + L and SHIFT + F10.
Here’s the P2 method that first presses both keys down, and then releases the key press.
The navigate method is used to load the new search engine that they add. On line 436, it presses CTRL + L to focus on the address bar, it sets the clipboard on line 440, then it presses CTRL + V on line 442, and finally it presses ENTER on 444.
Dynamic Configurations
The application sends a POST request to hxxps://conf.conclie[.]com/ConMasD with the GUID.
Dynamic configurations are retrieved from the server response. The snip below shows the sample POST and response to the ConMasD route. This will be referred to many times later.
Target Browser or FF
The app targets FireFox, or the dynamically targeted browser that is passed in the ConMasD “TargBr” value. In my two sandbox runs, it targeted “firefox”.
Key Functions
The ConMasD response is used to add the registry key for ConvertMaster (among many things). On line 35 it uses the uninstall string that is built from the ConMasD response. It is basically a CMD to delete the registry value, the desktop shortcut, and to open a browser to the FireFox page on changing the search options.
Similarly for the additional brand, but it doesn’t actually uninstall anything because the uninstall strings just delete the registry settings, the desktop shortcut, and then it opens the FireFox page that shows how to change your browser search settings [2].
Browser Hijacking
Mozilla shows how you can add a search option from the search bar [3]. If the page has a built-in search field, you can add it as a search engine from the address bar. The method addToL adds it. See the snip below. It is explained below.
It first navigates to OS_OU URL. This is provided from ConMasD. The snip below shows the key and value pair highlighted in the JSON response. Note: this is from a second Any Run session [4].
Next, it presses the following keys from lines 307-313: CTRL + L, SHIFT + F10, UP, ENTER.
Use the snip below to visualize this. In the snip below, I’ve navigated to the mapilor URL. I’ve pressed CTRL + L to select the address bar. Next, I’ve pressed SHIFT + F10 to open the right-mouse click menu. Pressing the UP key would select the bottom option ‘Add “search”‘, and pressing ENTER would add the search option.
The method ChangeDefSrc is used to change the default search engine.
The snip below shows the PRF_URL value is provided in the ConMasD JSON response.
It goes to the preference URL, presses tab, and then presses the down key (num times) to select the new search source. The preferences URL is set dynamically via the ConMasD JSON.
The snip below shows something similar to what the user would see if the fake installer view wasn’t blocking at the top layer. When you press tab, it sets the focus to the Default Search Engine dropdown. In the snip below, I clicked it to show how the Mapilor option is at the bottom. The method ChangeDefSrc calculates how many times the DOWN key will need to be pressed before the Mapilor option is selected. Then it presses the DOWN key on line 334 (as many times in the loop as needed).
wesd mapilor Code
The snip below shows the response from the wesd.mapilor[.]com request.
It looks like it pretty much adds q= “and then the query”.
Browser Hijacking Flow
In the Any Run session I searched for “creating a search so that I can analyze the flow in PCAP…”. The snip below shows that request and the 302 response. Mapilor redirects that to searchretrorevive[.]com. Mapilor acts as a pass-through to the “Retro Revive” search engine.
The snip below shows the request to the Retro Revive search engine; it shows it redirects it to use Yahoo search.
Thractor Objectives
It appears the thractor is monitoring search queries as they are redirected to Yahoo. I don’t know the full objective.
What is Retro Revive?
Tomas Meskauskas [5] discusses how Retro Revive (using retrorevivesearch[.]com instead of the searchretrorevive[.]com that we observed) is a browser hijacker [6]. Tomas includes a ton of info like what it does, how a victim might install it, and how to remove it. PCRisk also has a video about it [7].
Summary
This documents my analysis on the browser hijacker Convert Master. I was served a Google ad for Convert Master when I was looking for info on VA pay. I analyzed it using Any Run and dnSpy. Convert Master creates a desktop link to application.convertmasterapp[.]com for the file conversions. If the user’s browser is FireFox, or the dynamically targeted browser, Convert Master adds a new search engine using dynamically retrieved configs, and sets the new search engine as the default option. The search engine redirects to the “Retro Revive” search engine. Retro Revive is not a real search engine, so it just redirects your searches to another search engine (Yahoo search in my observation).
Indicators
d0c7471c7950b2f80dbf92f929dfb0f10d518b551b326e56e9b2870de90196f3
hxxps://conf.conclie[.]com/ConMasD
convertmasterapp[.]com
dldthis[.]com
application.convertmasterapp[.]com
conf.conclie[.]com
wesd.mapilor[.]com
searchretrorevive[.]comReferences
1 – https://app.any.run/tasks/172e1fdd-820f-42b7-a180-63cbbe9961e5
2 – https://support.mozilla.org/en-US/kb/change-your-default-search-settings-firefox
3 – https://support.mozilla.org/en-US/kb/add-or-remove-search-engine-firefox
4 – https://app.any.run/tasks/562bdf6c-a8a5-4d07-a043-96ce4d7d85b2?p=68fc4338ce66e87f8d45aa8d
5 – https://x.com/pcrisk
6 – https://www.pcrisk.com/removal-guides/32892-retrorevivesearch-com-redirect
7 – https://www.youtube.com/watch?v=IJovMj3jWUg
[…] Browser Hijacker Convert Master Browser Hijacker Analysis Teams Transcript Page Lure Delivers GoTo RMM PoisonSeed YouTube-themed Career Phishing […]
[…] YAPA Browser Hijacker/Loader Analysis ConvertyFile Browser Hijacker Convert Master Browser Hijacker Analysis Teams Transcript Page Lure Delivers GoTo RMM PoisonSeed YouTube-themed Career […]