alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Magecart Loader Javascript"; flow:established,to_client; http.stat_code; content:"200"; http.server; content:"DDoS-Guard"; nocase; bsize:10; fast_pattern; file.data; content:"|09 09 09 09|"; byte_test:4,=,151587081,20,relative; content:"function"; distance:0; content:"|09 09 09 09|"; byte_test:4,=,151587081,7000,relative; reference:url,malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven; classtype:bad-unknown; sid:2043311; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_01_17, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_01_17, reviewed_at 2024_10_14;)