alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .PNG With Embedded File (.sh)"; flow:established,to_client; http.content_type; content:"image/png"; startswith; http.response_body; content:"|89 50 4E 47 0D 0A 1A 0A|"; startswith; content:"|00 00 00 00 49 45 4E 44 AE 42 60 82 23 21 2f|bin|2f|sh"; distance:0; fast_pattern; reference:url,trendmicro.com/en_us/research/22/g/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-sc.html; classtype:trojan-activity; sid:2037811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_22, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_07_22;)