The vulnerability, tracked as CVE-2021-38003, was in the JavaScript engine built into Dota 2, known as V8. However, Google patched this vulnerability in October 2021, and Valve, the developer of Dota 2, did not fix it. update their software to last month.
Avast researcher Jan Vojtěšek explained in an email how this backdoor works:
-
The victim enters the game by playing one of the malicious game modes.
-
The game loads as expected, but in the background malicious JavaScript is accessing the game mode server.
-
The game mode server code contacts the backdoor’s C&C server, downloads a piece of JavaScript code (probably an exploit for CVE-2021-38003), and returns the downloaded code to the victim.
-
The victim dynamically executes the loaded JavaScript. If this were an exploit for CVE-2021-38003, it would have caused malicious code to be executed on the victim’s machine.
Source: Ferra
I am a professional journalist and content creator with extensive experience writing for news websites. I currently work as an author at Gadget Onus, where I specialize in covering hot news topics. My written pieces have been published on some of the biggest media outlets around the world, including The Guardian and BBC News.
