Keypoints
- Meow emerged in 2022 (linked to Conti code) and Meow Leaks surfaced in 2023 as a data-exfiltration-focused actor.
- Initial access vectors observed include phishing emails and malvertising that deliver malicious executables via links or downloads.
- Attackers used custom Python scripts and scanner tools (e.g., NetScan) for discovery, exploitation, and lateral movement across victim networks.
- Observed execution artifacts include an identified ransomware encryptor running as a windows.exe process, indicating potential use of encryption in some incidents.
- Exfiltration was conducted using a MegaSync cloud client placed on victim systems to transfer stolen data offsite.
- Persistence and process manipulation employed PowerTool32.exe/PowerTool64.exe and abuse of spoolsv.exe from attacker-controlled shares.
- Defense evasion techniques included attempts to create truenight.sys (kernel-level component) to terminate EDR processes.
MITRE Techniques
- [T1071.001] Web Protocols – Used to deliver payloads via links in phishing/malvertising that triggered downloads. (‘Phishing emails used to deliver malicious payloads.’)
- [T1203] Exploitation for Client Execution – Custom scripts and malicious installers executed on victim hosts to run payloads. (‘Malicious executables initiated from phishing links.’)
- [T1050] New Service – Malware components deployed to modify or create services for persistence (PowerTool32.exe/PowerTool64.exe were used for process manipulation). (‘PowerTool32.exe and PowerTool64.exe for process manipulation.’)
- [T1562] Impair Defenses – Attempts to create kernel components to disable security products (truenight.sys used to kill EDR processes). (‘Creation of truenight.sys to evade detection.’)
- [T1041] Exfiltration Over C2 Channel – Use of cloud-sync client (MegaSync) to move stolen data off the victim environment. (‘Use of MegaSync for data exfiltration.’)
Indicators of Compromise
- [IP Address] C2/hosting observed – 95.164.69[.]179
- [SHA-256] Malware/sample hashes – 222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853, 7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f, and 5 more hashes
- [SHA-1] Artifact hash – 85147575c1a6f57d849747dfd8293e9a
- [File names] Executables and kernel artifacts observed – PowerTool32.exe, PowerTool64.exe, truenight.sys, MegaSync, windows.exe, spoolsv.exe
Observed intrusion chains begin with social-engineering vectors (phishing and malvertising) that deliver installers or executables via links; victims who follow those links download and run payloads that execute on endpoints. Post‑compromise activity included running custom Python scripts to enumerate hosts and launch exploitation attempts, and use of network scanners (NetScan) to map internal networks for lateral movement and credential or service discovery.
For persistence and deeper control, attackers deployed tools named PowerTool32.exe/PowerTool64.exe and abused shared resources to execute or hide malicious binaries via spoolsv.exe; a separate windows.exe encryptor was also observed running outside of victim management, indicating occasional ransomware use. To exfiltrate data, actors installed a MegaSync client on local accounts to transfer files to cloud storage, and they attempted kernel-level defense evasion by creating truenight.sys, a component aimed at terminating EDR processes.
Detection and mitigation should focus on blocking phishing/malvertising delivery paths, monitoring for unusual installer executions and cloud-sync client installations, hunting for the listed filenames and hashes, and flagging kernel driver creation or unexpected service/process modifications. Rapid isolation of compromised hosts, network segmentation, file integrity monitoring, and EDR telemetry that detects anomalous use of scanners, Python-based discovery scripts, or MegaSync uploads will disrupt this procedure.