Exam SY0-601 topic 1 question 296 discussion

A. A RAT was installed and is transferring additional exploit tools. “Remote Access Trojan A remote access Trojan (RAT) is a type of malware that allows attackers to control systems from remote locations. It is often delivered via drive-by downloads or malicious attachments in email. Once installed on a system, attackers can then access the infected computer at any time and install additional malware if desired. A growing trend is for attackers to deliver trojans as Portable Executable (PE) files in 32-bit (PE32) and 64-bit (PE64) formats. They often compress the PE files using compression tools, such as tar (sometimes called tarball). Tar files have the .tar.gz file extension.” Excerpt From CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide Darril Gibson https://itunes.apple.com/WebObjects/MZStore.woa/wa/viewBook?id=0 This material may be protected by copyright.

Going with A on this one. it makes the most sense to me. RATs are typically downloaded together with a seemingly legitimate program, like a game, or are sent to the target as an email attachment. Once the attacker compromises the host's system, they can use it to distribute RATs to additional vulnerable computers, establishing a botnet.

God ! I hate comptia ! A: A RAT can be used to download additional tools but it is typically hidden in a useful app (trojan). D: A fileless virus is hidden in a file (ex: MHT). It loads in RAM and then downloads a payload that runs shell commands (live off the land). C: The fact that all downloads were initiated at the same time after 1 week is indicative of a logic bomb too. Take your pick, I lean towards D since the arbitrary code was in a file and not an app.

I don't see data transfer

I don't see how this could be D: fileless viruses don't spread, right? that would be a worm, correct?

The answer is A. RAT and this is what I found: A remote access Trojan (RAT) is a type of malware that allows attackers to control systems from remote locations. It is often delivered via drive-by downloads or malicious attachments in email. Once installed on a system, attackers can then access the infected computer at any time and install additional malware if desired. A growing trend is for attackers to deliver trojans as Portable Executable (PE) files in 32-bit (PE32) and 64-bit (PE64) formats. They often compress the PE files using compression tools, such as tar (sometimes called tarball). Tar files have the .tar.gz file extension.

RAT it is as they are downloading stuff without any intervention

I would go with RAT here because end users refuse they did not initiate the downloading

B. The workstations are beaconing to a command-and-control server. The scenario described, where end users suddenly download files with the .tar.gz extension and further examination reveals these files are PE32 files (typically Windows executables), suggests that the workstations may be compromised and communicating with a command-and-control (C2) server. This is a common behavior seen in various types of malware infections, and it aligns with the symptoms described in the question.

Downloaded files being PE32 suggests a trojan, but why would an attacker wait a week to start it? He would start downloading immediately. I'm going with logic bomb. Transfers all starting exactly after a week is a by-the-books example of logic bomb.

These questions are so confusing to me. It says a large number of stations started downloading these files suddenly a week after the compromise. It sounds like a logic bomb was set on all of these machines at the same time. I don't know why I would choose RAT over that based on other questions in this guide.

I would go with C here. All victims started downloading PE32 files (which are mostly Windows executable files) a week after they all clicked on the certain MHT which probably contained malicious time bomb code which said "Hey you stupid dumb a$$ start downloading this executable when this time condition is met let it be this Sunday at noon" and all who clicked and infected their computer with this started downloading this PE32 file with the executable to perform some other attack . Second if it was a RAT why would attacker wait for a week to tart the attack, he would probably start the attack as soon as he established connection with the compromised system Third If it was a RAT how would attacker simultaneously attack all compromised systems at the same time, I mean it is very unlikely that attacker using RAT is attacking more than one system at the time. So with all said above my educated guess is that this was a MHT file infected with the logic bomb malicious code instructing compromised system to start downloading executable malicious file at the set time.

My gut says Logic Bomb simply from this sentence: "While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension.". Execution with no user interaction at exactly the same time a week after the initial download.

Option A, which suggests the installation of a RAT and transfer of additional exploit tools, aligns with the behavior described in the scenario. The end users' workstations being compromised through the infected MHT file could have allowed an attacker to gain unauthorized remote access and control over those systems. The downloaded .tar.gz files could potentially contain the additional exploit tools used by the attacker to further compromise the affected machines or carry out other malicious activities.

This question VERY closely mirrors one from the book CompTIA Security+ Get Certified Get Ahead SY0-601 by Darril Gibson with the answers slightly different in a different order, but the answer is RAT. The question from the book "37. Some network appliances monitoring incoming data have recently started sending alerts on potentially malicious files. You discover that these are PE32 files with the tar.gz extension, and they are being downloaded to several user systems. After investigating further, you discover these users previously opened an email with an infected MHT file. Which of the following answers BEST describes this scenario? A. The systems have joined a botnet. B. Users installed ransomware. C. Users installed a RAT, and it is downloading additional tools. D. Shadow IT is running in the network."

This is RAT

A. https://www.bleepingcomputer.com/news/security/new-wsh-rat-malware-targets-bank-customers-with-keyloggers/