While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension.
Closer examination of the files reveals they are PE32 files.
The end users state they did not initiate any of the downloads.
Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior.
Which of the following is MOST likely occurring?
A.
A RAT was installed and is transferring additional exploit tools. B.
The workstations are beaconing to a command-and-control server. C.
A logic bomb was executed and is responsible for the data transfers. D.
A fireless virus is spreading in the local network environment.
A.
While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension.
Closer examination of the files reveals they are PE32 files.
The end users state they did not initiate any of the downloads.
Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior.
Which of the following is MOST likely occurring?
A.
A RAT was installed and is transferring additional exploit tools.
B.
The workstations are beaconing to a command-and-control server.
C.
A logic bomb was executed and is responsible for the data transfers.
D.
A fireless virus is spreading in the local network environment.
A.
The scenario describes an incident where multiple end users are downloading files with the .tar.gz extension, which upon examination are found to be PE32 files. It is also revealed that the users clicked on an external email containing an infected MHT file with an href link a week prior. The users claim that they did not initiate any downloads themselves.
Based on this information, the most likely scenario is that a Remote Access Trojan (RAT) has been installed on the users' machines, and is being used to transfer additional exploit tools. A RAT is a type of malware that enables an attacker to take control of a target machine remotely. Once a RAT is installed, the attacker can use it to perform various malicious activities on the compromised system, including transferring additional malware or exploit tools.
The fact that the end users claim they did not initiate the downloads is another indication that the malware is being controlled remotely. Additionally, the presence of PE32 files suggests that the attackers are using these tools to exploit vulnerabilities in the target systems.
The other options listed are less likely based on the information provided. Beaconing to a command-and-control server (Option B) typically involves regular communication with a remote server, which is not indicated in the scenario. A logic bomb (Option C) is a type of malware that is triggered by a specific event or condition, and is not typically associated with file downloads. Finally, a fireless virus (Option D) is a term that is not commonly used in the context of malware and does not provide enough information to make an informed decision.
Therefore, based on the scenario provided, the most likely scenario is that a RAT has been installed on the users' machines, and is being used to transfer additional exploit tools.