Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Browser Update via Error Page Loader"; flow:established,to_client; http.response_body; content:"let|20|agent1|20 3d 20|navigator|2e|userAgent|2e|toLowerCase|28 29 3b|"; startswith; fast_pattern; content:"let|20|lang1|20 3d 20|navigator|2e|language|7c 7c|navigator|2e|userLanguage|3b|"; distance:0; content:"if|28|agent1|2e|indexOf|28 27|win|27 29 20 3c 20|0|20 7c 7c 20|lang1|2e|indexOf|28 27|CN|27 29 20 3e 20|0|20 29|"; distance:0; content:"if|20 28|Math|2e|random|28 29 20 3e|0|29 7b|"; distance:0; content:"|3d|document|2e|createElement|28 27|script|27 29 3b|"; distance:0; reference:url,isc.sans.edu/diary/Supply%20Chain%20Compromise%20or%20False%20Positive%3A%20The%20Intriguing%20Case%20of%20efile.com%20%5Bupdated%20-%20confirmed%20malicious%20code%5D/29708; classtype:trojan-activity; sid:2044883; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_04, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag compromised_website, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_04;)