CompTIA Security+ (SY0-601) — Question 158

While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring?

Answer options

• A. A RAT was installed and is transferring additional exploit tools.
• B. The workstations are beaconing to a command-and-control server.
• C. A logic bomb was executed and is responsible for the data transfers.
• D. A fileless virus is spreading in the local network environment

Correct answer: A

Explanation

The correct answer is A because the behavior indicates that a Remote Access Trojan (RAT) has likely been installed on the users' systems, enabling the transfer of additional malicious tools. Options B, C, and D do not align as closely with the evidence of unexpected downloads following the interaction with the infected MHT file.