Full Report
Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran's nuclear program by destroying uranium enrichment centrifuges. According to a new report published by SentinelOne, the previously undocumented cyber sabotage framework dates back to 2005, primarily targeting high-precision calculation software to tamper
Analysis Summary
# Tool/Technique: fast16
## Overview
**fast16** is a highly sophisticated, previously undocumented cyber sabotage framework discovered by SentinelOne researchers. Predating the notorious Stuxnet worm by approximately five years, it is the first known Windows malware to implement an embedded Lua engine for its core logic. Its primary purpose appears to be the sabotage of high-precision calculation software, likely targeting industrial or scientific facilities to produce inaccurate results through a kernel-level driver.
## Technical Details
- **Type:** Malware framework / Sabotage tool
- **Platform:** Windows (specifically targets older versions; the driver is incompatible with Windows 7 and later)
- **Capabilities:** Lua bytecode execution, kernel-level interception, file system and registry manipulation, network API binding, and digital sabotage.
- **First Seen:** Created circa July–August 2005 (Uploaded to VirusTotal in 2016).
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1543.003 - Create or Modify System Process: Windows Service]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1140 - Decompile, Disobfuscate, or Decode Files or Information]
- **[TA0006 - Access Permission Compensation]**
- [T1068 - Exploitation for Privilege Escalation]
- **[TA0040 - Impact]**
- [T1491 - Defacement (System/Data Manipulation)]
## Functionality
### Core Capabilities
- **Lua-Based Execution:** Uses an embedded Lua 5.0 virtual machine to run encrypted bytecode, allowing for modular and flexible logic execution.
- **Service Wrapping:** The component `svcmgmt.exe` acts as a versatile carrier that can register itself as a Windows service or execute specific arguments based on command-line inputs.
- **System Interfacing:** Binds directly to Windows NT APIs for deep control over the file system, registry, and service control manager.
### Advanced Features
- **Kernel-Level Sabotage:** Utilizes a kernel driver (`fast16.sys`) to intercept and modify executable code as it is read from the disk.
- **Precision Targeting:** Specifically designed to tamper with high-precision calculation software, likely to undermine engineering or scientific processes (e.g., nuclear enrichment calculations).
- **Self-Propagation Potential:** Designed to be paired with delivery mechanisms to ensure consistent inaccurate calculations across an entire networked facility.
## Indicators of Compromise
- **File Hashes:**
- **svcmgmt.exe:** `9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525`
- **fast16.sys:** `07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529`
- **File Names:** `svcmgmt.exe`, `fast16.sys`
- **Registry Keys:** References to service creation in `HKLM\SYSTEM\CurrentControlSet\Services`
- **Network Indicators:** (None specifically listed in the report, though the tool references network APIs)
- **Behavioral Indicators:** High-privilege service creation; kernel driver loading; Lua engine execution within a standard console process.
## Associated Threat Actors
- **Equation Group:** Highly suspected due to the forensic link between the "fast16" string and the 2017 "Lost in Translation" leak by **The Shadow Brokers** (linked to the NSA).
## Detection Methods
- **Signature-based detection:** Identify the unique PDB paths (`fast16.sys`) and the embedded Lua 5.0 engine signatures within `svcmgmt.exe`.
- **Behavioral detection:** Monitor for unauthorized kernel driver installation and service management activities involving unsigned or atypical binaries.
- **YARA rules:** Rules should target the specific Lua bytecode container and the "fast16" PDB strings.
## Mitigation Strategies
- **Prevention measures:** Implement strict driver signature enforcement (standard in modern Windows versions, which mitigates this specific legacy driver).
- **Hardening recommendations:** Use Endpoint Detection and Response (EDR) to monitor for the creation of unusual services and kernel-mode transitions.
- **Process Integrity:** Ensure that high-precision engineering software is run in environments where file integrity monitoring (FIM) can detect on-the-fly modifications.
## Related Tools/Techniques
- **Stuxnet:** Later used similar industrial sabotage goals but aimed at PLCs.
- **Flame (Flamer/Skywiper):** Also used a Lua virtual machine for complex information-stealing tasks.
- **Duqu:** Follow-on framework with modular components linked to the same development lineage.