SyncFuture Spyware's Clever Avast Evasion: GUI Tricks to Bypass IDP Exclusions in China-to-India Campaign

[Khushal]

Content source

https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign

Avast Users beware!
A sophisticated evasion technique targeting Avast Free Antivirus was found out by Esentire TRU. The malware's objective is to add the detected file (C:\Windows\SysWOW64\msres\Setup.exe) to Avast's IDP (Intrusion Detection Prevention) exclusion list without directly disabling the antivirus engine.

Weaponized in China, Deployed in India: The SyncFuture Espionage Targeted Campaign

Learn more about a phishing site that was uncovered by eSentire’s SOC Analysts after a proactive threat investigation.

www.esentire.com

 

[Parkinsond]

When Avast is detected, the malware uses automated mouse simulation to navigate Avast's interface and add malicious files to the antivirus exclusion list, effectively whitelisting them to bypass detection.

So not only MD exculsions that are manipulable.

 

[Parkinsond]

The campaign targets residents of India with phishing emails that impersonate the Income Tax Department of India, luring victims into downloading a malicious archive.
The infection chain demonstrates a high level of sophistication, beginning with a DLL side-loading technique where a legitimate, signed Microsoft application is used to load a malicious DLL.

Does just extracting the archive lead to DLL sideloading, or the user has to execute what is called "a legitimate, signed Microsoft application"?
If execution is mandatory, then avoiding the attack is easy.

 

[Khushal]

Does just extracting the archive lead to DLL sideloading, or the user has to execute what is called "a legitimate, signed Microsoft application"?
If execution is mandatory, then avoiding the attack is easy.

Execution ofc but the user is baited into executing with targeted lures so i wouldn't say avoiding the attack is that easy.

 

[Parkinsond]

Execution ofc but the user is baited into executing with targeted lures so i wouldn't say avoiding the attack is that easy.

Logic can save me; why dispalying tax report necessitates executing an executable?
You will say the exe is disguised as pdf; okay, why not R click the file to check its properties in two seconds?

 

[nickstar1]

Anyone report this to Gen to get it fixed? Gen is pretty fast with fixing stuff.

 

[Khushal]

Logic can save me; why dispalying tax report necessitates executing an executable?
You will say the exe is disguised as pdf; okay, why not R click the file to check its properties in two seconds?

u are correct. But logic sometimes can be overpowered by work and fatigue.

 

[Parkinsond]

You @Khushal ?

 

[Divine_Barakah]

So not only MD exculsions that are manipulable.

Now would protecting Avast (or any security product) settings with a password help in this case?

@Parkinsond could you please set a password to protect Avast settings and check if adding sth to exclusions would require the password?

 

[Parkinsond]

@Parkinsond could you please set a password to protect Avast settings and check if adding sth to exclusions would require the password?

Unfortunately I just have my W reinstalled the day before yesterday; I have only MD.

 

[Khushal]

Anyone report this to Gen to get it fixed? Gen is pretty fast with fixing stuff.

done interesting insight on malwarebytes

MalwareBytes internals (incomplete) | malware source code

malwaresourcecode.com

 

[Andy Ful]

Now would protecting Avast (or any security product) settings with a password help in this case?

Yes. The malware does what the user could do when trying to add an exclusion without knowing the password.
The analyzed malware can be stopped by SAC (the DLLs have invalid signatures, payload dropper is unsigned).

 

[Parkinsond]

The analyzed malware can be stopped by SAC

and WDAC?

 

[Andy Ful]

and WDAC?

Yes.

 

[Divergent]

Primary Indicators of Compromise (IOCs)
The malware attempts to hide in legitimate-looking system directories.

Main Payload C:\Windows\SysWOW64\msres\Setup.exe

Log Directory C:\Windows\SysWOW64\msres\log

Common Files Path
C:\Program Files\Common Files\ytcommon

Persistence & Privilege Escalation

UAC Bypass
The malware uses a COM-based technique involving the ICMLuaUtil interface to elevate privileges silently.

Registry Modification
It modifies the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer by setting the value NoPropertiesMyComputer to 0, likely to hide system information or hinder user investigation.

PDB String
The binary contains the debug path C:\Users\sakur\Desktop\k7\bypassuac1-main\x64\Release\bypassuac.pdb, linking it to known development environments.

Attribution Context
The campaign utilizes the Yangtu (SyncFuture) software certificate and infrastructure, heavily suggesting a Chinese origin targeting Indian government and infrastructure sectors.

Recommendation / Remediation
If you suspect this malware is present or are auditing a machine based on these reports, perform the following immediately.

Isolate the Host
Disconnect the machine from the network to prevent data exfiltration.

Verify Avast Exclusions

Open Avast Antivirus.

Navigate to Settings > Exceptions.

Look for any exclusions pointing to C:\Windows\SysWOW64\msres\ or Setup.exe. Remove them immediately.

Manual IOC Check (Powershell)
Run this command in an Administrator PowerShell to check for the specific file markers.

$paths = @(
    "C:\Windows\SysWOW64\msres\Setup.exe",
    "C:\Program Files\Common Files\ytcommon"
)
foreach ($path in $paths) {
    if (Test-Path $path) {
        Write-Host "CRITICAL: Malicious artifact found at $path" -ForegroundColor Red
    } else {
        Write-Host "CLEAN: $path not found." -ForegroundColor Green
    }
}

Cleanup

Check the Registry for the NoPropertiesMyComputer value mentioned above.

Scan the machine with a different non-resident scanner (e.g., Malwarebytes or HitmanPro) since the installed Avast instance may be compromised/tampered with.

References

MITRE ATT&CK T1204.001
(User Execution: Malicious Link)

MITRE ATT&CK T1562.001
(Impair Defenses: Disable or Modify Tools)

 

[TuxTalk]

Only free version....

 

[Divine_Barakah]

Only free version....

I believe it is the same both the Free and Premium version.

 

[Andy Ful]

Only free version....

This kind of targeted attack can work for any concrete application with GUI.

 

[Khushal]

Yes. The malware does what the user could do when trying to add an exclusion without knowing the password.
The analyzed malware can be stopped by SAC (the DLLs have invalid signatures, payload dropper is unsigned).

How good is SAC against signed MSIs like below SHA256:
c1ec42abf050d35a25129b0366346f1871d7bbc720af06547f5fdde6d35e6868

 

[Andy Ful]

How good is SAC against signed MSIs like below SHA256:
c1ec42abf050d35a25129b0366346f1871d7bbc720af06547f5fdde6d35e6868

Properly signed 0-day MSI files have real chances to pass by SAC. Some can be blocked and some not. However, the MSI file usually installs malware, dependent on the EXE or DLL files, which often have invalid signatures or are unsigned.
In the case of the malware from your post, it contains signed EXE/DLLs from Advanced Installer (legal application) and the fake/modified and unsigned MultiBit application (the original one is signed). The attack (fake MultiBit) can probably be blocked by SAC.