Liudoor Trojan used in Terracotta APT

Hunt Hypothesis

The Liudoor Trojan, associated with the Terracotta APT, is likely being used to establish covert command and control channels within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threat activity before significant data exfiltration or system compromise occurs.

YARA Rule

rule LiuDoor_Malware_2 
{

    meta:
        description = "Liudoor Trojan used in Terracotta APT"
        author = "Florian Roth"
        reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
        date = "2015-08-04"
        score = 70
        super_rule = 1
        hash1 = "f3fb68b21490ded2ae7327271d3412fbbf9d705c8003a195a705c47c98b43800"
        hash2 = "e42b8385e1aecd89a94a740a2c7cd5ef157b091fabd52cd6f86e47534ca2863e"

    strings:
        $s0 = "svchostdllserver.dll" fullword ascii 
        $s1 = "Lpykh~mzCCRv|mplpykCCHvq{phlCC\\jmmzqkIzmlvpqCC" fullword ascii

    condition:
        uint16(0) == 0x5a4d and filesize < 100KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance using task scheduler to run legitimate system cleanup scripts.
  Filter/Exclusion: Check for CommandLine containing schtasks.exe or schtasks /create and exclude known maintenance scripts.

• Scenario: Admin performing a database backup using SQL Server Agent Job with sqlcmd.exe.
  Filter/Exclusion: Filter out commands containing sqlcmd.exe and check for backup or restore in the command line.

• Scenario: User running a legitimate third-party application like 7-Zip or WinRAR for file compression.
  Filter/Exclusion: Exclude processes with 7z.exe, WinRAR.exe, or similar known compression tools.

• Scenario: IT staff deploying patches using Windows Update or WSUS with wusa.exe or wuauclt.exe.
  Filter/Exclusion: Filter out processes associated with wusa.exe or wuauclt.exe and check for update or patch in the command line.

• Scenario: System running a legitimate scheduled PowerShell script for log rotation or monitoring.
  Filter/Exclusion: Exclude PowerShell scripts with known log management tools like logrotate or PowerShell.exe with log or rotate in the command line.