Threat Research

MetaStealer – Redline’s Doppelgänger

CTI

MetaStealer is a C# infostealer first advertised in March 2022 that reuses Redline Stealer code, is obfuscated with Confuser (ConfuserEx/Core), and stores configuration using Base64 + XOR encryption. It collects browser data, crypto-wallets, system info and screenshots, communicates with a WCF-based C2 endpoint (hxxp://tempuri.org/Contract/MSValue1) and supports in-memory execution via process hollowing. #MetaStealer #Redline #ConfuserEx

Keypoints

  • MetaStealer is a C# stealer derived from Redline, advertised in 2022 and obfuscated with Confuser Core/Ex.
  • Configuration and C2 are stored as Base64 strings that are XOR-decoded (stringKey repeated) then Base64-decoded to reveal IP/port and tokens.
  • The malware uses a WCF ChannelFactory to establish C2 comms, bypasses certificate validation, and attaches a hardcoded Authorization header/token.
  • OnGetSettings from C2 returns MSObject/MSValue entries (MSValue10–MSValue15) that define grabber paths, browser user-data locations, crypto wallet extensions, and environment variable keys to exfiltrate.
  • Discovery uses WMI queries (Win32_OperatingSystem, Win32_DiskDrive, Win32_Process, AV/Firewall product queries), registry access to enumerate browsers and installed programs, and directory/file scanning for targeted files (e.g., FileZilla recentservers.xml).
  • Capabilities include screenshot capture, disk serial-based HWID generation (MD5 of domain+username+serial), and optional process hollowing for running merged binaries in memory using native APIs.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – Uses WMI queries to collect system and AV information (‘SELECT * FROM Win32_OperatingSystem’)
  • [T1055.012] Process Hollowing (Process Injection) – Performs in-memory execution via APIs used for process hollowing (‘CreateProcessInternalW … ZwResumeThread’)
  • [T1113] Screen Capture – Captures the virtual display and converts images to bytes for exfiltration (‘GetVirtualDisplaySize’)
  • [T1083] File and Directory Discovery – Recursively searches directories and enumerates files for targeted data like VPN apps and FileZilla configs (‘Search method is responsible for searching for files within certain directories’)
  • [T1057] Process Discovery – Enumerates running processes and retrieves command-line data (‘SELECT * FROM Win32_Process Where SessionId=’)
  • [T1027] Obfuscated Files or Information – Binary and constants are obfuscated/encoded using Confuser Core/Ex and custom Base64+XOR routines (‘automatically obfuscated with Confuser Core 1.6.0’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Communicates with C2 over WCF/HTTP endpoints and uses an Authorization header/token (‘hxxp://tempuri.org/Contract/MSValue1’)

Indicators of Compromise

  • [File Hashes] MetaStealer samples – 78a04c5520cd25d9728becca1f032348b2432a3a803c6fed8b68a8ed8cca426f, 1ab93533bff654a20fd069d327ac4185620beb243135640c2213571c8902e325, and 11 more hashes
  • [Domains / Endpoints] C2 and service indicators – hxxp://tempuri.org/Contract/MSValue1 (C2 endpoint pattern), crypter[.]guru (advertised crypter service)
  • [File Names] Targeted credential/config files – FileZilla recentservers.xml (enumerated for credentials)
  • [YARA / Strings] Unique strings used for detection/config extraction – “MSObject”, “MSValue”, “FileScannerRule” (also used in provided YARA rule)

MetaStealer’s runtime begins by reading two runtime arguments (an encoded IP and a key) and repeatedly calling a StringDecrypt.Read(b64, stringKey) routine that first Base64-decodes a string, XORs it with the provided key (key repeated via i % key.Length), and then Base64-decodes the XOR result to reveal plaintext configuration such as the C2 IP/port and an authentication token. The generated binaries are obfuscated with Confuser (Confuser Core 1.6.0/ConfuserEx), and the sample contains ConfuserEx constant-decryption artifacts; a provided dnlib-based extractor identifies Base64 strings and associated XOR keys to decrypt C2 and settings.

For C2 communications MetaStealer creates a WCF ChannelFactory with custom binding and endpoint, disables certificate validation, and inserts a hardcoded Authorization message header/token for authentication; network traffic uses endpoints under the tempuri.org contract (e.g., hxxp://tempuri.org/Contract/MSValue1). The OnGetSettings remote call returns MSObject/MSValue entries (MSValue10–MSValue15) that supply: file-grabber rules and paths for desktop/documents, lists of browser “User Data” directories to harvest saved credentials and cookies, numerous crypto-wallet extension identifiers, and a long list of environment variable names (AWS, Azure, GitHub, Docker, API keys) targeted for exfiltration.

Local collection and persistence routines use WMI and registry extensively: WMI queries fetch OS, disk serials (Win32_DiskDrive) and running processes (Win32_Process) while registry keys enumerate installed browsers and installed software. The stealer builds an HWID by MD5 hashing domain+username+disk-serial, captures screenshots by composing the virtual display into a Bitmap and converting to PNG bytes, and scans filesystem directories (Search method with SearchOption.TopDirectoryOnly or AllDirectories) for targeted files (e.g., VPN apps and FileZilla configs). Optional binder/crypt features allow merging and executing payloads in-memory via process hollowing APIs (CreateProcessInternalW, ZwUnmapViewOfSection, ZwAllocateVirtualMemory, ZwWriteVirtualMemory, ZwGetThreadContext, ZwSetContextThread, ZwResumeThread), and distinguishing MetaStealer from Redline is possible by protocol and naming differences in the WCF endpoints and object names (MSValue/MSObject vs Entity/Id patterns).

Read more: https://russianpanda95.github.io/2023/11/20/MetaStealer-Redline’s-Doppelganger/