An in-depth forensic analysis of how a seemingly legitimate Proof-of-Concept (PoC) for CVE-2020-35489 turned out to be a cleverly disguised malware. This blog post details the attack vector, payload deobfuscation, Indicators of Compromise (IoCs), and the steps taken to analyze and neutralize the threat.
Never, EVER, do anything security related while sleep deprived, drunk, high, having sex, or all of the above.
After that… no, don’t trust. Zero trust.
There are basic hygiene measures to run anything related to any exploit — including “just” PoCs — depending on how risky a total pwn would be:
Reading through the code is nice, and should be done anyway from an educational point of view… but even when “sure”, basic hygiene still applies.
Keeping tokens in one VM (or a few), while running the exploit in another, is also a good idea. Stuff like ”Windows → WSL2 → Docker", works wonders (but beware of VSCode’s pass-through containers). Bonus points if passkeys and a fingerprint reader get involved. Extra bonus points for logging out before testing (if it asks to unlock any passkey… well, don’t), then logging out again afterwards.
What I’m not so sure about, is deleting the siphoned data without alerting the potential victims. Everyone kind of failed at security, but still. A heads up to rotate all keys, would be nice.