Liudoor Trojan used in Terracotta APT

Hunt Hypothesis

The Liudoor Trojan, associated with the Terracotta APT, is likely being used to establish covert command and control channels within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity before significant data exfiltration or system compromise occurs.

YARA Rule

rule LiuDoor_Malware_1 
{

    meta:
        description = "Liudoor Trojan used in Terracotta APT"
        author = "Florian Roth"
        reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
        date = "2015-08-04"
        score = 70
        super_rule = 1
        hash1 = "deed6e2a31349253143d4069613905e1dfc3ad4589f6987388de13e33ac187fc"
        hash2 = "4575e7fc8f156d1d499aab5064a4832953cd43795574b4c7b9165cdc92993ce5"
        hash3 = "ad1a507709c75fe93708ce9ca1227c5fefa812997ed9104ff9adfec62a3ec2bb"

    strings:
        $s1 = "svchostdllserver.dll" fullword ascii 
        $s2 = "SvcHostDLL: RegisterServiceCtrlHandler %S failed" fullword ascii 
        $s3 = "\\nbtstat.exe" fullword ascii
        $s4 = "DataVersionEx" fullword ascii

    condition:
        uint16(0) == 0x5a4d and filesize < 150KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using liudoor as part of a backup script
  Filter/Exclusion: process.name != "liudoor" OR process.parent_process.name == "schtasks.exe" OR file.path contains "backup"

• Scenario: System administrator using liudoor for legitimate remote management
  Filter/Exclusion: process.user contains "admin" OR process.parent_process.name == "taskmgr.exe" OR process.parent_process.name == "mstsc.exe"

• Scenario: Scheduled execution of a legitimate third-party tool named liudoor
  Filter/Exclusion: file.name == "liudoor.exe" AND file.path contains "trusted_vendor" OR process.parent_process.name == "schtasks.exe"

• Scenario: False positive from a legitimate system process named liudoor
  Filter/Exclusion: process.name == "liudoor" AND process.parent_process.name == "explorer.exe" OR process.parent_process.name == "services.exe"

• Scenario: Use of liudoor in a legitimate CI/CD pipeline for deployment tasks
  Filter/Exclusion: process.parent_process.name == "jenkins.exe" OR file.path contains "ci_cd_tooling" OR process.user contains "ci_user"