Malicious Dota 2 game modes infected players with malware

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Security researchers have discovered four malicious Dota 2 game modes that were used by a threat actor to backdoor the players' systems.

The unknown attacker created four game modes for the highly popular Dota 2 multiplayer online battle arena video game and published them on the Steam store to target the game's fans, as Avast Threat Labs researchers found.

"These game modes were named Overdog no annoying heroes (id 2776998052), Custom Hero Brawl (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339)," Avast malware researcher Jan Vojtěšek said.

The attacker also included a new file named evil.lua that was used to test server-side Lua execution capabilities. This malicious snippet could be used for logging, executing arbitrary system commands, creating coroutines, and making HTTP GET requests.

While the threat actor made it very easy to detect the bundled backdoor in the first game mode published on the Steam Store, the twenty lines of code malicious code included with the three newer game modes were much harder to spot.

The backdoor enabled the threat actor to remotely execute commands on the infected devices, potentially allowing the installation of further malware on the device.
The targeted vulnerability is CVE-2021-38003, a high-severity severity security flaw in Google's V8 JavaScript and WebAssembly engine exploited in attacks as a zero-day and patched in October 2021.

"Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players," Vojtěšek added.

The JavaScript exploit for CVE-2021-38003 was injected in a legitimate file that added scoreboard functionality to the game likely to make it harder to detect.

Avast reported their findings to Valve, the Dota 2 MOBA game developer, who updated the vulnerable V8 version on January 12, 2023. Before this, Dota 2 used a v8.dll version compiled in December 2018.

Valve also took down the malicious game modes and alerted all players impacted by the attack.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top