SentinelLABS discovered a previously undocumented 2005 cyber‑sabotage framework named fast16 that used an embedded Lua VM in a reusable service carrier (svcmgmt.exe) and a boot-start kernel driver (fast16.sys) to patch executables in memory and introduce subtle floating‑point errors into high‑precision calculation software. The framework included worm‑style propagation to deploy the driver across a facility, targeted engineering and simulation suites such as LS‑DYNA and PKPM, and later appeared in the ShadowBrokers “Territorial Dispute” signatures. #fast16 #LS-DYNA
Keypoints
- SentinelLABS identified fast16 as a multi-component sabotage framework compiled in 2005 consisting of a Lua‑powered carrier (svcmgmt.exe), a user reporting DLL (connotify.dll), and a boot‑start filesystem kernel driver (fast16.sys).
- fast16.sys attaches above filesystem devices and uses a rule-driven in‑memory patching engine (101 rules) to modify executable code as files are read, including an injected FPU routine designed to corrupt precision arithmetic.
- The svcmgmt.exe carrier contains an embedded Lua 5.0 VM with encrypted bytecode, multiple wormlet slots, and an SCM wormlet that spreads via file shares and Windows service control APIs to replicate across networks.
- Targeting is narrow and compiler‑aware: the driver only patches .EXE files containing a printable ASCII string starting with “Intel” after the last PE section header, indicating focus on Intel‑compiled high‑precision tools.
- Strong candidate targets identified by pattern matching include LS‑DYNA 970, PKPM, and MOHID—specialized engineering and simulation suites used for crash testing, structural analysis, and hydrodynamic modeling.
- fast16 demonstrates advanced operational security for its era: a pre‑installation kill switch checks for vendor registry keys (to avoid monitored environments), and artifacts later appeared in the ShadowBrokers TeDi signatures with an instruction referencing “fast16”.
- YARA rules and extracted patterns are provided to hunt for the carrier, driver, and the patch signatures, and several file hashes and device/pipe names are published as IOCs for detection and hunting.
MITRE Techniques
- [T1064] Command and Scripting Interpreter – The framework embeds and executes Lua bytecode inside svcmgmt.exe via an embedded Lua 5.0 VM to implement modular payload logic (‘an embedded Lua 5.0 virtual machine and an encrypted bytecode container unpacked by the service entry point’).
- [T1543.003] Create or Modify System Process: Windows Service – The carrier installs itself as a Windows service SvcMgmt and can install and run payloads as a service (‘escalates privileges and installs the carrier executable as the SvcMgmt service, then starts it’).
- [T1547] Boot or Logon Autostart Execution – The kernel driver is configured as a boot‑start filesystem component and loads early during boot to persist and attach to filesystems (‘This kernel driver is a boot-start filesystem component… It loads automatically at an early stage’).
- [T1021.002] Remote Services: SMB/Windows Admin Shares – fast16’s SCM wormlet propagates by copying the payload over network shares and starting remote services, relying on weak or default administrative passwords (‘copies the payload over a network share and starts that remote service’).
- [T1055] Process Injection (in‑memory code modification) – The driver performs in‑memory PE header modifications and patches executable code as files are read, effectively altering runtime code without persistent modification on disk (‘a rule-driven in-memory engine that quietly patches executable code as files are read from disk’).
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – fast16 disables Windows Prefetcher and checks for the presence of security product registry keys to avoid monitored environments (‘disables the Windows Prefetcher by setting the EnablePrefetcher value to 0’ and ‘walks a list of vendor keys and aborts installation if any of them are present’).
- [T1012] Query Registry – The carrier inspects multiple vendor registry keys to determine whether to proceed with installation and propagation (‘walks a list of vendor keys and aborts installation if any of them are present, preventing deployment into monitored environments’).
Indicators of Compromise
- [File Name] Primary malicious components – fast16.sys, svcmgmt.exe (driver and carrier filenames referenced as core components).
- [SHA256 Hash] Malware binaries – 07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529 (fast16.sys), 9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525 (svcmgmt.exe).
- [MD5 Hash] Additional file hashes – 0ff6abe0252d4f37a196a1231fae5f26 (fast16.sys MD5), dbe51eabebf9d4ef9581ef99844a2944 (svcmgmt.exe MD5).
- [Named Pipe] Local IPC used by reporting DLL – .pipep577 (connotify/svcmgmt.dll writes remote and local connection names to this pipe).
- [Device Name] Kernel driver device objects – Devicefast16 and ??fast16 (custom device names exposed by the driver, useful forensic markers).
- [PDB / Build Path] Build artifacts – C:buildydriverfdi386fast16.pdb (PDB path linking carrier binary to the kernel driver project).
- [Registry Keys] Security product checks (examples) – HKLMSOFTWARESymantecInstalledApps, HKLMSOFTWAREKasperskyLabInstalledProductsKaspersky Anti-Hacker (fast16 checks these to avoid deployment into monitored environments).