Custom rules for yara-integrated scans
- CVE-2012-0158 (Common OLE signature)
- CVE-2012-0158 (Newer variant)
- From AlienVault Labs
- http://labs.alienvault.com/labs/index.php/2013/yara-rules-for-apt1comment-crew-malware-arsenal/
- https://github.com/jaimeblasco/AlienvaultLabs/blob/master/malware_analysis/CommentCrew/apt1.yara
- Possible XPlug variants (newer releases)
- Dynamic DLL abuse signatures