Researchers uncover 2005 fast16 Lua malware

SentinelOne researchers uncovered a Windows malware framework named fast16 compiled in 2005 that embeds a Lua 5.0 virtual machine and an encrypted payload designed to corrupt numerical results used in engineering and simulation software. The finding is based on a sample labeled svcmgmt.exe with a VirusTotal file timestamp of August 30, 2005 and an internal PDB path referencing fast16.sys dated July 19, 2005.

The svcmgmt.exe binary acts as a carrier module. It includes an embedded Lua bytecode container and three main components: the carrier executable, an auxiliary ConnotifyDLL, and a kernel driver referenced as fast16.sys. The driver hooks into the operating system to intercept executables as they are read from disk and applies rule-based patches that can alter execution flow and numerical routines.

The driver’s patching engine contains 101 rules that appear aimed at executables compiled with the Intel C/C++ compiler. One class of rules targets mathematical routines and is capable of introducing small, systematic errors into calculations. SentinelOne mapped those rules to three likely targets used in the mid-2000s: LS-DYNA 970, a multiphysics crash and impact simulator; PKPM, an engineering design platform; and MOHID, a hydrodynamic modeling system.

The carrier can run as a Windows service, execute Lua scripts, parse configuration data, escalate privileges and deploy a Service Control Manager wormlet. The wormlet scans network servers and attempts to spread to Windows 2000 and XP systems using weak or default credentials. Propagation is conditional: it occurs only when manually triggered or when registry checks do not find specific security products. The registry checks include entries associated with Agnitum, F‑Secure, Kaspersky, McAfee, Microsoft, Symantec, Sygate Technologies and Trend Micro.

A ConnotifyDLL component records new Remote Access Service connection names to a named pipe (\\.\\pipe\\p577). The kernel driver will not run on systems with Windows 7 or later, consistent with the sample’s mid-2000s origin.

Investigators found a forensic link to a 2017 leak of tools and signatures published by a group calling itself The Shadow Brokers. The string fast16 appears in a leaked text file named drv_list.txt. The report notes a connection between the PDB path in the 2005-compiled carrier and entries in the leaked data. Researchers wrote, “By combining this payload with self-propagation mechanisms, the attackers aim to produce equivalent inaccurate calculations across an entire facility.”

SentinelOne’s report places fast16 earlier than other known Lua-equipped Windows toolkits and identifies it as a modular, multi-component framework created to alter high-precision calculations in targeted software.