alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Browser Update via Error Page Payload"; flow:established,to_client; http.response_body; content:"let|20|agent|20 3d 20|navigator|2e|userAgent|2e|toLowerCase|28 29 3b|"; startswith; fast_pattern; content:"let|20|payload|5f|chrome|20 3d 20 27|"; distance:0; content:"let|20|payload|5f|firefox|20 3d 20 27|"; distance:0; content:"let|20|ua1|20 3d 20 27 27 3b|"; distance:0; content:"let|20|payload|20 3d 20 27 27 3b|"; distance:0; reference:url,isc.sans.edu/diary/Supply%20Chain%20Compromise%20or%20False%20Positive%3A%20The%20Intriguing%20Case%20of%20efile.com%20%5Bupdated%20-%20confirmed%20malicious%20code%5D/29708; classtype:trojan-activity; sid:2044885; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_04, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag compromised_website, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_04;)