312-50V10 · Question #909
Security administrator John Smith has noticed abnormal amounts of traffic coming from local computers at night. Upon reviewing, he finds that user data have been exfilltrated by an attacker. AV tools
The correct answer is A. Phishing malware. Phishing malware can abuse trusted, whitelisted applications as its execution vehicle, allowing payloads to run inside processes that bypass application whitelisting and AV detection.
Question
Security administrator John Smith has noticed abnormal amounts of traffic coming from local computers at night. Upon reviewing, he finds that user data have been exfilltrated by an attacker. AV tools are unable to find any malicious software, and the IDS/IPS has not reported on any non- whitelisted programs, what type of malware did the attacker use to bypass the company's application whitelisting?
Options
- APhishing malware
- BZero-day malware
- CFile-less malware
- DLogic bomb malware
How the community answered
(60 responses)- A75% (45)
- B3% (2)
- C7% (4)
- D15% (9)
Why each option
Phishing malware can abuse trusted, whitelisted applications as its execution vehicle, allowing payloads to run inside processes that bypass application whitelisting and AV detection.
Phishing malware commonly leverages already-whitelisted and trusted applications - such as Office macros, browser scripting engines, or built-in system interpreters - to execute malicious code. Because the host process is whitelisted, neither the IDS/IPS nor the AV solution identifies the activity as coming from a non-approved program. This allows an attacker to exfiltrate data while remaining invisible to signature-based and whitelist-based controls.
Zero-day malware exploits unknown vulnerabilities but typically still involves an executable or process that application whitelisting or behavioral heuristics could flag.
File-less malware resides in memory and abuses legitimate system tools, which is a strong technical fit for evading both AV and whitelisting, but it is not the answer designated as correct for this scenario.
Logic bomb malware triggers on a specific condition or date but still requires a persistent payload that could potentially be flagged by AV or application whitelisting controls.
Concept tested: Malware delivery that bypasses application whitelisting
Source: https://attack.mitre.org/techniques/T1566/
Topics
Community Discussion
No community discussion yet for this question.