Worm Charming: Harvesting Malware Lures for Fun and Profit

Conference:  BlackHat USA 2019



It's no secret that client-side attacks are a common source of compromise for many organizations. Web browser and e-mail borne malware campaigns target users by way of phishing, social engineering, and exploitation. Office suites from vendors such as Adobe and Microsoft are ubiquitous and provide a rich and ever-changing attack surface. Poor user awareness and clever social engineering tactics frequently result in users consenting to the execution of malicious embedded logic such as macros, JavaScript, ActionScript, and Java applets. In this talk, we'll explore a mechanism for harvesting a variety of these malware lures for the purposes of dissection and detection.Worm charming (grunting or fiddling) is an increasingly rare real-world skill for attracting earthworms from the ground. A competitive sport in East Texas, most worm charming methods involve some vibration of the soil, which encourages the worms to surface. In our context, we'll apply a series of YARA rules to charm interesting samples to the surface from the ~1M files uploaded to Virus Total daily. Once aggregated, we'll explore mechanisms for clustering and identifying "interesting" samples. Specifically, we're on the hunt for malware lures that can provide a heads up to defenders on upcoming campaigns as adversaries frequently test their lures against AV consensus. Multiple real-world examples are provided, proving that an astute researcher, can harvest zero-day exploits from the public domain.