Analysis of the Tibia spam campaign

Wikia receives a healthy dose of spam each day, most of which does not merit any examination beyond the ordinary glance at the page before hitting “Delete.”  In the case of an apparently targeted spam inflow on Tibia-related wikis, several interesting factors make it worthy of a closer look:

  • The spam activity is heavily focused at Tibia users,
  • The campaign is used to deliver malware,
  • The campaign uses a variety of techniques to fulfill its purpose,
  • Those performing it are likely to be people and not automated software.


Fake download screens mimicking the download pages of Flash and Java are used to deceive the users.
Sample of a fake download screen image used to deceive the user into clicking the link.

Dating back to 2011, we have observed noticeable amount of spam targeted specifically at wikis related to the popular massively-multiplayer online game Tibia. This is a good example of “watering hole” attacks, when attackers seed malware on sites the target audience is likely to visit.

The actual malware is delivered by replacing page contents with a prewritten message and an external link pointing to a Windows executable. The message uses social engineering techniques to trick the user into downloading the software, advertised as Tibia Viewer, Adobe Flash, or Java. The primary target appear to be Spanish-speaking Tibia users.

The download link is generally obfuscated using URL shortening services, and points to domains hosted primarily at Hetzner Online AG and OVH. The hosts share the common feature that they do not serve an index page to viewers, and appear to have a basic handcrafted interface when viewing the file pages. urlQuery statistics indicate that at least one,, is actively reused in other campaigns outside Wikia.

Some of these domains are listed below:

The servers used by the attackers feature very basic interfaces for file management.
Screenshot of a file page.

Once the executable is run, it runs a downloaded Java archive file, creating a process identifying itself as the Adobe Flash installer, and sets up a persistent keylogger. According to the VirusTotal scan of one of the executables, the code was most likely re-used from another source. The overall detection rate by command-line scanners is low, albeit intrusion detection systems commonly bundled with today’s security software are likely to detect the malicious intent.

The actors

Based on the location of the servers, the IPs, usernames and summaries used and the domains selected, the people behind the campaign are likely to be of Polish origin, editing from at least two Polish ISPs. The erratic use of open proxies and other factors appear to confirm that the campaign is not performed by automated software.