{
  "query": "Which type of malware masquerades as a legitimate file and then beacons to a command and control server after it is executed?",
  "options": [
    {
      "text": "Macro document virus",
      "explanation": "A macro virus embeds malicious macros into documents and executes when the document macros run.",
      "correct": false,
      "selected": false
    },
    {
      "text": "Trojan horse",
      "explanation": "A Trojan horse pretends to be a legitimate file or program while performing hidden malicious actions after execution.",
      "correct": true,
      "selected": false
    },
    {
      "text": "Backdoor",
      "explanation": "A backdoor provides remote access for attackers but does not necessarily disguise itself as a benign file.",
      "correct": false,
      "selected": false
    }
  ],
  "answer": "<p>The correct answer is <b>Trojan horse</b>.</p><p>A <b>Trojan horse</b> is malware that deliberately disguises itself as a legitimate file or program so a user will run it. After execution it frequently contacts a command and control server to receive instructions or exfiltrate data, and that beaconing behavior after appearing legitimate is the defining trait described in the question.</p><p><i>Macro document virus</i> is incorrect because that term refers to malicious code embedded in document macros that executes when the document is opened. Its defining feature is the use of document macros rather than the specific combination of masquerading as a benign file and then beaconing to a C2 server.</p><p><i>Backdoor</i> is incorrect because a backdoor describes a method for remote access or persistence rather than the initial disguise as a legitimate file. A trojan can install a backdoor and then phone home, but the backdoor label alone does not capture the masquerading behavior in the question.</p>",
  "batch_id": "1996",
  "answerCode": "2",
  "type": "multiple-choice",
  "originalQuery": "Emily, an employee of a law firm, receives an email with an attachment named \"Legal_Document_09082020.zip.\" Inside the archive, there is a file named \"Legal_Document_09082020.zip.exe.\" Without realizing that it's an executable file, Emily proceeds to run it. Subsequently, a window pops up, displaying a notification claiming, \"This document is corrupt.\" Simultaneously, in the background, the malware initiates the process of copying data to the APPDATA\\local directory and starts beaconing to a C2 server to download additional malicious binaries. What type of malware has Emily encountered in this situation?",
  "originalOptions": "A. Key-Logger<br/>B. Worm<br/>C. Macro Virus<br/>D. Trojan",
  "domain": "Reconnaissance Techniques for Ethical Hacking",
  "hasImage": false,
  "queryImage": "",
  "queryImages": [],
  "allImages": [],
  "hasAnyImage": false,
  "deprecatedReference": false,
  "deprecatedMatches": {},
  "hasPre": false,
  "qid": "332s",
  "tip": "<p>Look for keywords like <i>masquerades</i> and <i>beacons</i> or <i>command and control</i> in the question. Those phrases usually point to a trojan that hides as something harmless and then phones home.</p>",
  "references": [
    "<a href=\"https://attack.mitre.org/techniques/T1071/\">MITRE ATT&CK - Command and Control (T1071)</a>",
    "<a href=\"https://www.kaspersky.com/resource-center/threats/trojans\">Kaspersky - What is a Trojan</a>",
    "<a href=\"https://en.wikipedia.org/wiki/Trojan_horse_(computing)\">Wikipedia - Trojan horse (computing)</a>"
  ],
  "video_url": "https://certificationation.com/videos/others/eccouncil/ethical-hacker/eccouncil-receives-an-email-with-an-exam-332.html",
  "url": "https://certificationation.com/questions/others/eccouncil/ethical-hacker/eccouncil-receives-an-email-with-an-exam-332.html"
}