alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA406 Win32/Updog Backdoor Data Exfiltration Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/up.php?name="; startswith; http.content_type; content:"multipart/form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|"; startswith; content:"7e4512a60722"; fast_pattern; distance:0; endswith; http.request_body; content:"|2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|7e4512a60722|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name|3d 22|fileToUpload|22 3b 20|filename|3d 22|"; startswith; reference:url,www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document; classtype:trojan-activity; sid:2049306; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, created_at 2023_11_27, deployment Perimeter, malware_family Win32_Updog, confidence High, signature_severity Major, updated_at 2023_11_27; target:src_ip;)