ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > NineBlog

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: NineBlog

NamesNineBlog (FireEye)
CountryChina China
MotivationInformation theft and espionage
First seen2013
Description(FireEye) FireEye has been tracking ongoing activity associated with a unique and relatively stealthy group we first identified in 2013 using the name “APT.NineBlog.“ The name NINEBLOG refers to a specific backdoor used by the threat group; some versions of the backdoor use the string ‘nineblog’ in their command and control (CnC) URI path.

We have observed this group targeting organizations primarily in South Asia and the Middle East. The threat group is notable because it employs Visual Basic Scripts (VBScripts) as a backdoor, a tactic we do not often observe. The group can maintain a low profile probably because the VBScripts are small and stealthy in their execution. The NINEBLOG malware is difficult to detect because the VBScripts are encoded and the actors employ SSL network communications. We have observed intermittent activity from this group since we first identified it in 2013, and we saw a spike in activity during mid-2015.

We assess that one of the probable targets of the group’s 2015 campaign is a Southeast Asian government, based on the specificity of some of the decoy documents.

In addition to the anti-analysis techniques, the group has used SSL communications since we first identified this activity in 2013. The use of encrypted SSL traffic makes it extremely difficult to develop network-based signatures to detect the malware’s communications.
ObservedSectors: Government.
Countries: South Asia, Southeast Asia and Middle East.
Tools usedNineBlog.

Last change to this card: 01 May 2020

Download this actor card in PDF or JSON format

Previous: Nightshade Panda, APT 9, Group 27
Next: Nitro, Covert Grove

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]