Et rule 2044883 - Magic-SigExplorer

""ET TROJAN Fake Browser Update via Error Page Loader""

SID: 2044883

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2023_04_04, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_04_04

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "let|20|agent1|20 3d 20|navigator|2e|userAgent|2e|toLowerCase|28 29 3b|" Depth: 47
Value: "let|20|lang1|20 3d 20|navigator|2e|language|7c 7c|navigator|2e|userLanguage|3b|"
Value: "if|28|agent1|2e|indexOf|28 27|win|27 29 20 3c 20|0|20 7c 7c 20|lang1|2e|indexOf|28 27|CN|27 29 20 3e 20|0|20 29|"
Value: "if|20 28|Math|2e|random|28 29 20 3e|0|29 7b|"
Value: "|3d|document|2e|createElement|28 27|script|27 29 3b|"

Within:

PCRE:

Special Options:

file_data
fast_pattern

source