alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected TA451 Related FalseFont Backdoor Response"; flow:established,to_client; http.response_body; content:"|7b 22|negotiateVersion|22 3a|"; startswith; fast_pattern; content:"|22|connectionId|22 3a 22|"; content:"|22 2c 22|connectionToken|22 3a 22|"; content:"|22 2c 22|availableTransports|22 3a 5b 7b 22|transport|22 3a 22|"; content:"|22 2c 22|transferFormats|22 3a 5b 22|"; reference:url,nextron-systems.com/2024/01/29/analysis-of-falsefont-backdoor-used-by-peach-sandstorm-threat-actor/; reference:md5,6fd5d31d607a212c6f7651c79e7655a3; classtype:trojan-activity; sid:2050678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_02_01, deployment Perimeter, malware_family FalseFont, confidence High, signature_severity Critical, tag TA451, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_05;)