Created by myself and MalwareMonster.
⚠️ Warning: Only use this software according to your current legislation. Misuse of this software can raise legal and ethical issues which I don't support nor can be held responsible for.
SEBUA is described as a 'Social Engineering Browser Update Attack'. This attack requires user interaction and is highly deceiving.
- Browser Detection: SEBUA detects the browser type (Chrome, Firefox, or Edge).
- Data Injection: Uses
document.write
in JavaScript to inject data into the webpage. - UI Deception: Displays an overlay mimicking the official browser download page.
- Fake Update Prompt: Demands an update to view content, triggering a download when the 'Update' button is clicked.
- Post-Download Behavior: Sets a key in the browser's localStorage to prevent overlay reappearance after the binary execution.
- End Result: Ideally leads to a beacon after the binary execution.
Chrome overlay | Firefox overlay | Edge overlay |
---|---|---|
The primary component is the payload.js
file. To create this payload:
- Use
document.write
with obfuscated HTML inpayload.js
. - Employ html-obfuscator for obfuscation and de-obfuscation.
- BinBashBanana for the html-obfuscator tool.
- Browser Detection - Useful for detecting browser types.
- MalwareBytes - Article on FakeSG and NetSupport RAT, the inspiration behind this project.