The submitted files are identified as Tomb-crypted samples, which contain a Golang-based infostealer named ChrGetPdsi. Tomb Crypter is a packer/crypter linked to ITG23 who used it primarily to pack Broomstick malware (also known as Oyster or CleanUp) between January and March 2024, however a handful of samples were also found containing Rhysida ransomware and the Golang infostealer ChrGetPdsi.Tomb functions like both a crypter and a packer. It first decrypts the payload data using AES in CBC mode, and uses a complex algorithm to generate the decryption key and IV. The decrypted payload is then unpacked using UPX-based code, with the LZMA algorithm used for decompression. ChrGetPdsi is a basic infostealer written in Golang which is designed to steal browser history and logins, and targets Chrome, Edge, and Firefox. The output is written to a text file named chrgetpdsi.txt. Based on the samples analysed, the malware does not appear to have networking capabilities, and therefore it is likely that it is intended to be used in a post-compromise situation where the attacker already has access to the target system and can retrieve the created output file via other means.ChrGetPdsi has been observed being deployed by the Broomstick malware.Threat TypeMalwareThreat GroupITG23
Sample Indicators of Compromise:
7a86e145d14ec3caccf89b33e1292f478dd6a1baff256ff47b003d99352fb6034148d8ab39bdd1510bfdbecff2802797d7d2eb78445a8098f1093268376382a4c8cfa1f3317fcafe3430daf2be21c9a82381db24c090087ea7ad54e46f9bc6c9
