Security experts have discovered four malicious game mods for the popular MOBA game Dota 2 that were used by a threat actor to backdoor players' systems. The attacker published the mods on Steam, and included a file called evil.lua which was used to check the viability of server-side Lua execution. This code fragment could be used to log, run arbitrary system commands, build coroutines, and send HTTP GET requests. The malicious code in the three more recent game mods was harder to detect than the packed backdoor that was included in the initial game mode. This backdoor allowed the threat actor to execute commands remotely on the infected machines, and even potentially install further malware. It was also used to download a Chrome exploit known as CVE-2021-38003, which was discovered as a zero-day vulnerability in October 2021 and patched. The exploit was hidden in a legal file that adds scoreboard features to the game, making it difficult to find. Valve, the developer of Dota 2, was informed of the findings and updated the vulnerable V8 version in January. They removed the malicious game mods and informed anyone who had been affected, with under 200 players being impacted.
This Cyber News was published on heimdalsecurity.com. Publication date: Thu, 09 Feb 2023 09:44:03 +0000