An unknown attacker may have created a malicious game mode for the Dota 2 multiplayer online battle arena (MOBA) video game and used it to establish backdoor access to players’ systems.
These modes exploited a high-severity flaw in the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS score: 8.8). This was exploited as a zero-day and was addressed by Google in October 2021.
“Because V8 was not sandboxed with Dota, an exploit alone allowed remote code execution against other Dota players,” Avast researcher Jan Vojtěšek said in a report published last week. I’m here.
Following responsible disclosure to Valve, the game publisher shipped the fix on January 12, 2023 by upgrading its version of V8.
Game Modes are essentially custom features that can extend existing titles or offer entirely new gameplay in ways that deviate from the standard rules.
Publishing a custom game mode to the Steam store involves a review process by Valve, but a malicious game mode discovered by an antivirus vendor managed to slip through the cracks.
These game modes that have since been removed are ‘test addon plz ignore’, ‘Overdog no nasty hero’, ‘Custom Hero Brawl’, and ‘Overthrow RTZ Edition X10 XP’. The threat actor is also said to have revealed his fifth game mode named Brawl in Petah Tiqwa. This mode does not contain malicious code.
Embedded within the “test addon plz ignore” is an exploit for a flaw in V8 that can be weaponized to execute custom shellcode.
The other three, on the other hand, take a more covert approach in that malicious code is designed to access remote servers and fetch JavaScript payloads. The server is no longer reachable.
In a hypothetical attack scenario, a player launching any of the above game modes could be targeted by an attacker who could gain remote access to an infected host and deploy additional malware for further exploitation. .
It’s not immediately clear what the ultimate goal of the developers who created the game mode was, but Avast points out that it’s unlikely to be a benign research purpose.
“First, the attacker did not report the vulnerability to Valve (which is generally considered a good thing),” Vojtěšek said. “Second, the attackers tried to hide the exploit behind a secret backdoor.”
“It’s also possible that the attacker wasn’t purely malicious anyway. Such an attacker could definitely exploit this vulnerability to have much greater impact.”
