SEBUA is described as a ‘Social Engineering Browser Update Attack’. This attack requires user interaction and is highly deceiving.
- How it Works
- Browser Detection: SEBUA detects the browser type (Chrome, Firefox, or Edge).
- Data Injection: Uses document.write in JavaScript to inject data into the webpage.
- UI Deception: Displays an overlay mimicking the official browser download page.
- Fake Update Prompt: Demands an update to view content, triggering a download when the ‘Update’ button is clicked.
- Post-Download Behavior: Sets a key in the browser’s localStorage to prevent overlay reappearance after the binary execution.
- End Result: Ideally leads to a beacon after the binary execution.
The primary component is the payload.js
file. To create this payload:
- Use
document.write
with obfuscated HTML inpayload.js
. - Employ html-obfuscator for obfuscation and de-obfuscation.
What do you think?
It is nice to know your opinion. Leave a comment.