Sandworm

Posted: October 31, 2014

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	23

First Seen:	October 31, 2014
Last Seen:	July 25, 2022
OS(es) Affected:	Windows

Sandworm may refer to either a Trojan dropper or the group of threat authors responsible for this Trojan's development. As a threat, Sandworm has been implicated in recent attacks against NATO and critical infrastructure companies, by leveraging a document vulnerability that allowed Sandworm to install other threats with broad attack capabilities. Vulnerable institutions should patch their software to block Sandworm's threat-installing attacks, and conduct regular anti-malware scans to delete Sandworm or its payload when appropriate.

Espionage Threat under Analysis: When a Sandworm isn't a Worm

Sandworm is one of the most visible elements of a threat campaign that seems to have been in place starting as long ago as 2009. Recent attacks by the Sandworm Team also may have structural similarities to those of BlackEnergy, a general threat kit that compromised United States-based control systems. Like BlackEnergy, Sandworm has been installed to PCs for infrastructure-based companies and government organizations, including systems in Ukraine, Europe and the United States. Some of Sandworm's latest attacks were publicly acknowledged only within a week of this article's publication.

Sandworm distributes itself in a PowerPoint file format. Once launched, Sandworm executes a vulnerability that initiates contact with a set of remote files. These files install additional threats, such as Trojans with backdoor or spyware components. While these attacks were 'zero-day' attacks, originally, Microsoft recently issued a security update (labeled MS14-060) to patch this not-insignificant security flaw.

Files associated with Sandworm may use misleading file names, such as the seemingly harmless GIF extension. Unlike an official computer worm, neither Sandworm nor any of the INF files Sandworm contacts have any functions related to creating multiple copies of themselves as separate files.

Burying Sandworm where It Belongs

Even though Sandworm isn't a classic worm, Sandworm may be used against high-profile targets, such as businesses in the energy or water management sectors. This targeted usage makes it extremely likely that Sandworm's payloads may install high-level threats, such as backdoor Trojans, which include heavily invasive attacks. Although updating your software should block Sandworm's vulnerability from any further exploitation, future variants of Sandworm may not be deterred by old patches. Accordingly, anti-malware scans are advisable for any PC user who suspects their machine of being a likely target of the Sandworm campaign.

The Sandworm gets its name from a literature reference to a classical monster of science fiction. Sandworm, as a threat, may not be so difficult to defeat, but its attacks have no blatant symptoms attached. As a result, any computers without appropriate anti-malware solutions may find themselves even more helpless to Sandworm than a human would be to the original Sandworm of Frank Herbert's 'Dune.' So far, Sandworm does not appear to be in general distribution, and evidence found for now is highly indicative that its use is reserved by Russia-based persons against national targets.

Sandworm

Threat Metric

Espionage Threat under Analysis: When a Sandworm isn't a Worm

Burying Sandworm where It Belongs

Leave a Reply