In order to gain initial foothold within the target infrastructure APTs drop a malicious program during the point of entry step. While there are multiple ways of deploying malicious payloads the most common cases are malicious email attachments or exploits against the user’s web browser which are embedded into the websites the victim is usually browsing or is forced to browse to . The approach the APTs choose to use depends on the resources they possess or time that is available for carrying out the attack.
One of the most common approaches to deliver malicious payload is by attaching it to a spear phishing email. Depending on the sophistication of APT actors, the attachment might be as simple as macros in a Microsoft office documents or a zero day in a specific software. Another common approach of planting malware is attacking user’s web browser through malicious web sites. In this scenario, a website which the user is usually visiting is compromised and the exploit is embedded. Additionally, an arbitrary web site can be hijacked or created just for this purpose. However, the user is then tricked into visiting this site, mostly via spear phishing email which contains a link. In any case, the exploit tries to exploit a known or Zero-Day vulnerability which then results into malicious code being planted on the target’s computer.
Finally, while other approaches of delivering the malware exist, the end result is the same – attackers gain control of the victim’s machine. It’s worth mentioning, that the malware delivery process might be complex in a way that multiple stages of malicious code are executed. This is mainly done due to specifics of the malicious payload delivery or in order to bypass security defenses which might detect the initial compromise.