Avast warned that they were able to detect four malicious Dota 2 game mods that were used by attackers to inject backdoors into players’ systems.
The researchers say that the authors of malicious mods did not distribute them through thematic forums or in other ways, but immediately published them on Steam, trying to attract the attention of the players. The mods were called Overdog no annoying heroes (id 2776998052), Custom Hero Brawl (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339). There was also another mod – test addon plz ignore (id 1556548695), however, judging by the lack of a real payload, the attackers only tested their attacks with it.
“Before the mod can be used by regular players, it must be published on the Steam store. The publishing process includes review by Valve. While in theory this helps weed out some malicious mods, no verification process is perfect, and at least four malicious mods have managed to get past it. We believe that the review process is mainly used for moderation to prevent inappropriate content from being posted. There are many ways to hide a backdoor in the code, and it will take a very long time to try to find them all during the verification process,” the experts explain.
In addition, in addition to the backdoor, the attacker embedded a file called evil.lua into his mods, which was used to test the ability to execute Lua on the server side. This malicious snippet could be used for logging, executing arbitrary commands, creating coroutines, and sending HTTP GET requests.
Avast analysts reported their discovery to Valve developers, and on January 12, 2023, they updated the vulnerable version of V8. In addition, Valve has removed malicious game mods from Steam and warned all players affected by this attack.