SentinelOne has uncovered Fast16, a Lua-based sabotage framework predating Stuxnet that used a carrier service (svcmgmt.exe) and a kernel driver (fast16.sys) to intercept filesystem I/O and patch executables on pre-Windows 7 systems. SentinelLabs links Fast16 to a 2005 campaign referenced by the ShadowBrokers, highlights wormable propagation via weak Windows 2000/XP share credentials, and identifies targeted tampering of high‑precision tools like LS‑DYNA 970 to enable strategic sabotage. #Fast16 #Stuxnet
Keypoints
- SentinelOne discovered Fast16, a Lua 5.0–based Windows implant embedded in svcmgmt.exe with an associated kernel driver fast16.sys.
- The fast16.sys driver intercepts filesystem I/O, dynamically resolves kernel APIs, and patches PE files compiled with the Intel C/C++ compiler.
- Fast16 propagated via default or weak Windows 2000/XP file‑share passwords and included logic to avoid monitored vendor products.
- Analysis indicates the malware was designed to subtly alter outputs of engineering and simulation suites (LS‑DYNA 970, PKPM, MOHID) for strategic sabotage.
- SentinelLabs ties the tool to a 2005 attack referenced by the ShadowBrokers and views it as early, state‑grade cyber‑sabotage likely developed by the United States.
Read More: https://www.securityweek.com/pre-stuxnet-sabotage-malware-fast16-linked-to-us-iran-cyber-tensions/