Dota 2’s multiplayer online battle arena (MOBA) computer game featured malicious game modes designed by an unidentified threat actor that may have been used to get backdoor access to users’ computers.
The modes used a zero-day vulnerability in the V8 JavaScript engine that was tracked as CVE-2021-38003 (CVSS score: 8.8). And patched by Google in October 2021.
According to a study last week by Avast researcher Jan Vojtek, “Since V8 was not sandboxed in Dota. The attack by itself allowed for remote code execution against other Dota players.”
On January 12, 2023, the game publisher distributed fixes by updating the version of V8 after making a responsible disclosure to Valve.
Game modes are special features that can be added to current games or provide entirely new gameplay that deviates from the norm.
The malicious game modes found by the antivirus provider managed to evade detection despite Valve’s screening process for distributing custom game modes to the Steam store.
These game modes—” test addon plz avoid,” “Overdog no irritating heroes,” “Custom Hero Brawl,” and “Overthrow RTZ Edition X10 XP”—have now been removed. The threat actor is also alleged to have released a Brawl game mode in Petah Tiqwa, which contained no malicious code.
A V8 vulnerability exploit embedded in “test addon plz ignore” can be used to launch a custom shellcode.
On the other hand, the three other attacks employ a more stealthy strategy. The malicious code in these attacks is intended to connect to a remote server and retrieve a JavaScript payload, which is also probably an exploit for CVE-2021-38003 because the server is no longer reachable.
The Issues
In a potential attack scenario, a threat actor may target a player starting one of the game modes mentioned above to get remote access to the infected system and introduce new malware for exploitation.
Also, read Hackers use a fraudulent Pokemon NFT game to hack Windows devices.
Although the developer’s ultimate objectives for the game modes are currently unknown, Avast noted that they are not likely to be innocuous research objectives.
Vojtek noted that the attacker failed to notify Valve of the vulnerability, which is often thought to be a polite gesture. “Second, the attacker sought to conceal the exploit in a covert backdoor,” the report continued.
However, it’s also conceivable that the attacker wasn’t just trying to harm because they might have been able to take advantage of this vulnerability in a way that had a much more significant effect.
