alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT LandUpdate808 Inject Inbound"; flow:established,to_client; http.response_body; content:"var|20|client|20 3d 20|new|20|HttpClient|28 29 3b|"; distance:0; content:"client|2e|get|28 27|https|3a 2f 2f|www|2e|cloudflare|2e|com|2f|cdn|2d|cgi|2f|trace|27 2c 20|function|28|data|29 20 7b|"; distance:0; fast_pattern; content:"|20 3d 20|window|2e|navigator|2e|userAgent|2e|toLowerCase|28 29 2c|"; distance:0; content:"var|20|domainName|3d 22|https|3a 2f 2f|"; distance:0; content:"|3d 20|new|20|XMLHttpRequest|28 29 3b|"; distance:0; content:"|2e|onreadystatechange|20 3d 20|function|28 29 20 7b|"; distance:0; content:"|2e|readyState|20 3d 3d 20|XMLHttpRequest|2e|DONE|29 20 7b|"; distance:0; reference:url,malasada.tech/the-landupdate808-fake-update-variant/; classtype:trojan-activity; sid:2054228; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_07_02, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Minor, tag Exploit_Kit, tag compromised_website, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_02;)