Update APT_Sofacy_xtunnel_bundestag.yar

malware/APT_Sofacy_xtunnel_bundestag.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule apt_sofacy_xtunnel {
+rule apt_sofacy_xtunnel : APT28 Sofacy {
     meta:
         author = "Claudio Guarnieri"
         description = "Sofacy Malware - German Bundestag"
@@ -24,7 +24,7 @@ rule apt_sofacy_xtunnel {
         ((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*))) 
 }
 
-rule Sofacy_Bundestag_Winexe {
+rule Sofacy_Bundestag_Winexe : APT28 Sofacy {
     meta:
         description = "Winexe tool used by Sofacy group in Bundestag APT"
         author = "Florian Roth"
@@ -39,7 +39,7 @@ rule Sofacy_Bundestag_Winexe {
         uint16(0) == 0x5a4d and filesize < 115KB and all of them
 }
 
-rule Sofacy_Bundestag_Mal2 {
+rule Sofacy_Bundestag_Mal2 : APT28 Sofacy {
     meta:
         description = "Sofacy Group Malware Sample 2"
         author = "Florian Roth"
@@ -56,7 +56,7 @@ rule Sofacy_Bundestag_Mal2 {
         uint16(0) == 0x5a4d and ( 1 of ($x*) ) and $s1
 }
 
-rule Sofacy_Bundestag_Mal3 {
+rule Sofacy_Bundestag_Mal3 : APT28 Sofacy {
     meta:
         description = "Sofacy Group Malware Sample 3"
         author = "Florian Roth"
@@ -85,7 +85,7 @@ rule Sofacy_Bundestag_Mal3 {
         ) 
 }
 
-rule Sofacy_Bundestag_Batch {
+rule Sofacy_Bundestag_Batch : APT28 Sofacy {
     meta:
         description = "Sofacy Bundestags APT Batch Script"
         author = "Florian Roth"