Mitozhan Trojan used in APT Terracotta

Hunt Hypothesis

The Mitozhan Trojan, associated with the APT Terracotta group, is being used to establish persistence and exfiltrate data within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.

YARA Rule

rule Mithozhan_Trojan 
{

    meta:
        description = "Mitozhan Trojan used in APT Terracotta"
        author = "Florian Roth"
        reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/"
        date = "2015-08-04"
        score = 70
        hash = "8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a"
    
    strings:
        $s1 = "adbrowser" fullword wide 
        $s2 = "IJKLlGdmaWhram0vn36BgIOChYR3L45xcHNydXQvhmloa2ptbH8voYCDTw==" fullword ascii
        $s3 = "EFGHlGdmaWhrL41sf36BgIOCL6R3dk8=" fullword ascii
    
    condition:
        uint16(0) == 0x5a4d and filesize < 300KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled backup job using Veeam Backup & Replication
  Filter/Exclusion: Check for presence of Veeam in the process name or command line arguments, and exclude processes running under the Veeam service account.

• Scenario: System update using Windows Update or WSUS (Windows Server Update Services)
  Filter/Exclusion: Filter out processes related to wuauclt.exe, svchost.exe (running under wuauserv service), or any process with Windows Update in the command line.

• Scenario: Admin task using PowerShell to manage Active Directory via Import-CSV or Import-Module ActiveDirectory
  Filter/Exclusion: Exclude PowerShell scripts or processes that include Import-CSV, Import-Module ActiveDirectory, or are initiated by a known admin user with elevated privileges.

• Scenario: Log file parsing using LogParser from the Windows Server Resource Kit
  Filter/Exclusion: Exclude processes with LogParser in the name, or filter by command line arguments containing eventlog or text as input sources.

• Scenario: Network monitoring tool like Wireshark or tcpdump capturing traffic for analysis
  Filter/Exclusion: Exclude processes with Wireshark, tcpdump, or tshark in the name, and filter out any traffic captured on non-critical or internal network interfaces.