Domain 2: Threats, Vulnerabilities, and Mitigations Module 15 of 61

Malware Types and Indicators of Compromise

Security+ Domain 2 — Threats, Vulnerabilities, and Mitigations C — Malicious Activity and Mitigations 14–18 minutes

What the Exam Is Really Testing

The practical skill here is pattern matching. The exam will describe system behavior — files encrypting themselves, processes hiding from task manager, a device phoning home to an unknown server — and your job is to name the malware type from the behavior alone.

Given a scenario describing suspicious system behavior, identify the malware type involved and recognize the indicators of compromise that reveal the attack.

You won't see malware names in the questions. You'll see symptoms. The faster you can connect behavior to category, the faster you'll work through this section of the exam.

Malware Categories

Ransomware

Ransomware encrypts files or locks systems and demands payment for restoration. It is the most financially impactful malware category and appears frequently on the exam.

Key characteristics:

  • Encrypts files with strong cryptography, making recovery without the key impractical
  • Displays a ransom demand, typically requesting cryptocurrency payment
  • Modern variants exfiltrate data before encryption (double extortion)
  • Often delivered through phishing emails or exploited vulnerabilities
  • Ransomware-as-a-Service (RaaS) platforms lower the skill barrier for attackers

The exam tests both identification and response. The correct response involves isolation, backup restoration, and incident reporting — not paying the ransom.

Trojans

Trojans disguise themselves as legitimate software to trick users into installing them. Unlike viruses and worms, trojans do not self-replicate. They rely on social engineering to achieve installation.

Common trojan types include remote access trojans (RATs) that give attackers persistent backdoor access, banking trojans that steal financial credentials, and downloader trojans that install additional malware after initial infection.

Worms

Worms self-replicate and spread across networks without user interaction. They exploit vulnerabilities in network services, operating systems, or applications to propagate automatically.

Worms are distinguished from viruses by their independence — they do not need a host file or user action to spread. A worm can infect an entire network segment in minutes.

Spyware

Spyware secretly monitors user activity and transmits collected data to an attacker. It captures browsing habits, login credentials, financial information, and personal communications.

Spyware often arrives bundled with legitimate software or through malicious advertisements (malvertising).

Bloatware

Bloatware is pre-installed software on new devices that consumes resources and may create security vulnerabilities. While not always malicious, bloatware increases the attack surface, may collect telemetry without clear consent, and often cannot be easily removed.

The exam treats bloatware as a risk management issue rather than a direct threat.

Viruses

Viruses attach to legitimate programs or files and execute when the host program runs. They require user action to activate and spread — opening an infected file, running a compromised program, or booting from infected media.

Virus types include file infectors, boot sector viruses, macro viruses (embedded in documents), and polymorphic viruses (that change their code to evade detection).

Keyloggers

Keyloggers record every keystroke on a compromised system. They capture usernames, passwords, credit card numbers, and any other typed information. Keyloggers can be software-based (installed as malware) or hardware-based (physical devices attached to keyboards).

Logic Bombs

Logic bombs are malicious code embedded in a system that triggers when a specific condition is met — a date, a user action, or the absence of an action (like a specific employee not logging in). Logic bombs are often planted by insiders.

Example: A disgruntled developer inserts code that deletes the production database if their user account is disabled. The logic bomb triggers during their termination.

Rootkits

Rootkits operate at the deepest system level to hide their presence and maintain persistent access. They modify operating system functions to conceal malicious processes, files, and network connections from detection tools.

Rootkits are extremely difficult to detect because they control the very tools used for detection. Kernel-level rootkits modify OS kernel functions. Bootkits load before the OS. The most reliable detection method is booting from trusted external media and scanning the system offline.

Indicators of Compromise (IoCs)

Indicators of compromise are observable signs that a security breach has occurred or is in progress. The exam tests your ability to recognize these indicators and connect them to potential threats.

Account-Based Indicators

  • Account lockout — Multiple failed login attempts may indicate brute-force attacks or credential stuffing
  • Concurrent sessions — The same account logged in from multiple locations simultaneously suggests credential compromise
  • Impossible travel — Logins from geographically distant locations within an impossibly short timeframe indicate account compromise

Content and Data Indicators

  • Blocked content — Security tools blocking outbound connections to known malicious domains may indicate malware attempting to communicate with command and control servers
  • Published documents — Internal documents appearing on public sites or dark web forums indicate data exfiltration has already occurred

System and Resource Indicators

  • Resource consumption — Unexplained CPU, memory, disk, or network utilization spikes may indicate cryptocurrency mining, data exfiltration, or botnet activity
  • Missing logs — Gaps in log files suggest an attacker deleted evidence of their activity. Log deletion is itself an indicator of compromise
  • Log anomalies — Unusual entries in logs such as access at odd hours, unfamiliar source IPs, or unexpected privilege use signal potential compromise

Pattern Recognition

When you see a malware identification question, match the behavior to the type:

  1. Does it encrypt files and demand payment? Ransomware
  2. Does it spread by itself across the network? Worm
  3. Does it disguise itself as legitimate software? Trojan
  4. Does it record keystrokes? Keylogger
  5. Does it hide its own processes from detection? Rootkit
  6. Does it trigger on a specific condition? Logic bomb
  7. Does it attach to other programs and need user action? Virus
  8. Does it monitor and exfiltrate user activity? Spyware

For IoC questions, connect the observable behavior to the threat:

  • CPU at 100% with no visible process = cryptocurrency mining (hidden by rootkit)
  • Same user logged in from two countries simultaneously = credential compromise
  • Security logs missing for the last 48 hours = attacker covering tracks
  • Outbound connections to unusual domains being blocked = malware C2 communication

Trap Patterns

Common traps:

  • Confusing worms with viruses. Worms self-replicate independently. Viruses require a host program and user action. If the scenario says it spread without user interaction, it is a worm.
  • Confusing trojans with viruses. Trojans do not self-replicate. They trick users into installing them by appearing legitimate. Viruses attach to existing programs.
  • Treating rootkits as just another malware type. Rootkits are unique because they hide other malware. The exam may describe hidden processes and ask for the specific malware type enabling concealment.
  • Dismissing bloatware as harmless. While less dangerous than other categories, bloatware creates unnecessary attack surface and may have its own vulnerabilities.

Scenario Practice

Question 1

An employee opens an email attachment that appears to be a quarterly report. After opening it, the employee notices nothing unusual. However, the security team later discovers that an unauthorized remote connection has been established from the employee's workstation to an external server, providing the attacker with persistent control.

Which malware type was MOST likely used?

Answer & reasoning

Answer: Trojan (specifically a Remote Access Trojan / RAT)

The malware disguised itself as a legitimate document (quarterly report) and, once installed, established a remote backdoor connection. The user was not aware of any malicious activity because the trojan presented normal-appearing content while secretly installing the RAT.

This is not a worm (it did not self-propagate), not a virus (it did not attach to other programs), and not ransomware (no encryption or ransom demand).

Question 2

A security analyst notices that a user account has active sessions in both New York and Singapore at the same time. The account belongs to an employee based in the New York office who has not traveled recently.

Which indicator of compromise does this represent?

Answer & reasoning

Answer: Impossible travel

Simultaneous active sessions from two geographically distant locations within a timeframe that makes physical travel impossible is a strong indicator of credential compromise. Someone else is using the employee's credentials from Singapore.

The immediate response should be account suspension, password reset, and investigation of the Singapore session for unauthorized activity.

Question 3

A system administrator discovers that critical system processes are running but are invisible in the task manager and process listing tools. Anti-malware scans from the installed security software report no threats. When the system is booted from a USB drive and scanned externally, multiple malicious files are detected.

Which malware type is responsible for hiding these processes?

Answer & reasoning

Answer: Rootkit

The malware is hiding processes from the OS's own monitoring tools and from security software running on the infected system. Only external scanning (booting from USB) revealed the malware. This is the defining characteristic of a rootkit — it operates at a level that allows it to intercept and modify the results of system queries.

The fact that the installed anti-malware found nothing confirms the rootkit is subverting OS-level detection mechanisms.

Key Takeaway

Malware identification is about behavior, not names. Match what the malware does to its category. Indicators of compromise are the evidence trail that reveals the attack.

Know the behavioral differences: worms spread independently, viruses need hosts, trojans use deception, and rootkits hide everything else. For indicators of compromise, learn to read the signs — impossible travel, missing logs, unexplained resource spikes — because those tell you what happened even when the malware itself stays hidden.

Behavior reveals identity. Indicators reveal compromise.

Next Module Module 16: Network and Application Attacks