An unknown threat actor created malicious game modes for the Dota 2 multiplayer online battle arena (MOBA) video game that could have been exploited to establish backdoor access to players’ systems.
The modes exploited a high-severity flaw in the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS score: 8.8), which was exploited as a zero-day and addressed by Google in October 2021.
“Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players,” Avast researcher Jan Vojtěšek said in a report published last week.
Following responsible disclosure to Valve, the game publisher shipped fixes on January 12, 2023, by upgrading the version of V8.
Game modes are essentially custom capabilities that can either augment an existing title or offer completely new gameplay in a manner that deviates from the standard rules.
While publishing a custom game mode to the Steam store includes a vetting process from Valve, the malicious game modes discovered by the antivirus vendor managed to slip through the cracks.
These game modes, which have since been taken down, are “test addon plz ignore,” “Overdog no annoying heroes,” “Custom Hero Brawl,” and “Overthrow RTZ Edition X10 XP.” The threat actor is also said to have published a fifth game mode named Brawl in Petah Tiqwa that did not pack any rogue code.
Embedded inside “test addon plz ignore” is an exploit for the V8 flaw that could be weaponized to execute custom shellcode.
The three others, on the other hand, take a more covert approach in that the malicious code is designed to reach out to a remote server to fetch a JavaScript payload, which is also likely to be an exploit for CVE-2021-38003 since the server is no longer reachable.
In a hypothetical attack scenario, a player launching one of the above game modes could be targeted by the threat actor to achieve remote access to the infected host and deploy additional malware for further exploitation.
It’s not immediately known what the developer’s end goals were behind creating the game modes, but they are unlikely to be for benign research purposes, Avast noted.
“First, the attacker did not report the vulnerability to Valve (which would generally be considered a nice thing to do),” Vojtěšek said. “Second, the attacker tried to hide the exploit in a stealthy backdoor.”
“Regardless, it’s also possible that the attacker didn’t have purely malicious intentions either, since such an attacker could arguably abuse this vulnerability with a much larger impact.”
