An unknown risk actor created malicious recreation modes for the Dota 2 multiplayer on-line battle area (MOBA) online game that would have been exploited to ascertain backdoor entry to gamers’ programs.
The modes exploited a high-severity flaw within the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS rating: 8.8), which was exploited as a zero-day and addressed by Google in October 2021.
“Since V8 was not sandboxed in Dota, the exploit by itself allowed for distant code execution in opposition to different Dota gamers,” Avast researcher Jan Vojtěšek stated in a report printed final week.
Following accountable disclosure to Valve, the sport writer shipped fixes on January 12, 2023, by upgrading the model of V8.
Recreation modes are basically customized capabilities that may both increase an current title or provide fully new gameplay in a fashion that deviates from the usual guidelines.
Whereas publishing a customized recreation mode to the Steam retailer features a vetting course of from Valve, the malicious recreation modes found by the antivirus vendor managed to slide by the cracks.
These recreation modes, which have since been taken down, are “check addon plz ignore,” “Overdog no annoying heroes,” “Customized Hero Brawl,” and “Overthrow RTZ Version X10 XP.” The risk actor can be stated to have printed a fifth recreation mode named Brawl in Petah Tiqwa that didn’t pack any rogue code.
Embedded inside “check addon plz ignore” is an exploit for the V8 flaw that could possibly be weaponized to execute customized shellcode.
The three others, alternatively, take a extra covert strategy in that the malicious code is designed to achieve out to a distant server to fetch a JavaScript payload, which can be more likely to be an exploit for CVE-2021-38003 for the reason that server is not reachable.
In a hypothetical assault situation, a participant launching one of many above recreation modes could possibly be focused by the risk actor to realize distant entry to the contaminated host and deploy extra malware for additional exploitation.
It is not instantly identified what the developer’s finish objectives have been behind creating the sport modes, however they’re unlikely to be for benign analysis functions, Avast famous.
“First, the attacker didn’t report the vulnerability to Valve (which might usually be thought of a pleasant factor to do),” Vojtěšek stated. “Second, the attacker tried to cover the exploit in a stealthy backdoor.”
“Regardless, it is also attainable that the attacker did not have purely malicious intentions both, since such an attacker might arguably abuse this vulnerability with a a lot bigger influence.”
