Several security researchers identified that malicious game mods of Dota 2 served as a potential threat to backdoor the player systems.
A suspicious attacker came up with the four-game mods in relation to the popular Dota 2 multiplayer online battle arena video game. He published it on the steam store to target most game fans as identified by the Threat Lab Researchers.
Researcher of Avast Malware stated, “These game modes were named Overdog no annoying heroes (id 2776998052), Custom Hero Brawl (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339).”
T&Cs Apply, 18+ Only.
The attacker also specified the new file known as evil.lua, which is utilized to test server-side Lua execution capabilities. Such malicious snippets might be linked to logging the execution of arbitrary system commands that end up in creating coroutines and posting HTTP GET requests.
Though the threat actor helps in the early detection of the bundled backdoor for the first game mode out on Steam Store, the twenty malicious code lines and game modifications were unable to identify.
Backdoor has helped the threat actor with the remote execution of commands related to the infected devices that foster malware installation on the device.
Vojtěšek mentioned, “This backdoor permits the execution of any JavaScript acquired through HTTP, providing the attacker the power to conceal and modify the exploit code at their discretion without undergoing the game mode verification process, which can be dangerous, and updating the entire custom game mode.”
Lua Backdoor Code Launched on Dota 2 Game Servers
Using a backdoor at the players’ compromised systems resulted in a download of the Chrome exploits for abuse in the wild.
The tentatively targeted vulnerability stands at CVE-2021-38003, a massive security flaw evident in Google’s V8 JavaScript and even the WebAssembly engine, which was exploited in Zero-day attacks and mended by October 2021.
Vojtěšek further added, “Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players.”
The JavaScript exploit for the CVE-2021-38003 got injected using the legitimate file subject to the game’s scoreboard functionality which is hard to detect.
T&Cs Apply, 18+ Only.
Avast further reported its findings to the Dota 2MOBA gaming developer, Valve, who updated the vulnerability of the V8 version on Jan 12, 2023. Before this, Dota 2 made use of the v8.dll version that was compiled in December 2018.
Recently, the GTA’s Developer Rockstar Games made a security update relevant to addressing the Grand Theft Auto online issue as soon as possible!