SEBUA

Created by myself and MalwareMonster.

:warning: Warning: Only use this software according to your current legislation. Misuse of this software can raise legal and ethical issues which I don't support nor can be held responsible for.

Description

SEBUA is described as a 'Social Engineering Browser Update Attack'. This attack requires user interaction and is highly deceiving.

How it Works

• Browser Detection: SEBUA detects the browser type (Chrome, Firefox, or Edge).
• Data Injection: Uses document.write in JavaScript to inject data into the webpage.
• UI Deception: Displays an overlay mimicking the official browser download page.
• Fake Update Prompt: Demands an update to view content, triggering a download when the 'Update' button is clicked.
• Post-Download Behavior: Sets a key in the browser's localStorage to prevent overlay reappearance after the binary execution.
• End Result: Ideally leads to a beacon after the binary execution.

Examples

Chrome overlay	Firefox overlay	Edge overlay

Additional Information

The primary component is the payload.js file. To create this payload:

1. Use document.write with obfuscated HTML in payload.js.
2. Employ html-obfuscator for obfuscation and de-obfuscation.

Credits & Resources

• BinBashBanana for the html-obfuscator tool.
• Browser Detection - Useful for detecting browser types.
• MalwareBytes - Article on FakeSG and NetSupport RAT, the inspiration behind this project.