alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE JS/Spy.Banker.LD Credit Card Skimmer Inbound"; flow:established,to_client; file.data; content:"|5c|x43|5c|x72|5c|x65|5c|x64|5c|x69|5c|x74|5c|x2f|5c|x44|5c|x65|5c|x62|5c|x69|5c|x74|5c|x20|5c|x43|5c|x61|5c|x72|5c|x64|5c|x20|5c|x53|5c|x65|5c|x63|5c|x75|5c|x72|5c|x65|5c|x20|5c|x50|5c|x61|5c|x79|5c|x6d|5c|x65|5c|x6e|5c|x74"; nocase; fast_pattern; content:"|5c|x43|5c|x61|5c|x72|5c|x64|5c|x68|5c|x6f|5c|x6c|5c|x64|5c|x65|5c|x72"; distance:0; nocase; content:"|5c|x70|5c|x61|5c|x79|5c|x6d|5c|x65|5c|x6e|5c|x74|5c|x5b|5c|x63|5c|x63|5c|x5f|5c|x6f|5c|x77|5c|x6e|5c|x65|5c|x72|5c|x5d"; distance:0; nocase; reference:md5,8303f07a6c09ba1fe2660ab125ff6c55; reference:url,twitter.com/MBThreatIntel/status/1573059941619081221; classtype:trojan-activity; sid:2038960; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_09_23, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_09_23;)