fast16

For machines that qualify, fast16 impersonates the locally logged-on user's credentials, copies itself to \\<remote>\admin$\system32\svcmgmt.exe

The researchers analyzed the sample and found it tries to install a worm and deploy a driver called fast16.sys.

Their investigation uncovered malware dating back to 2005 that was reportedly designed to manipulate software believed to be used by Iranian nuclear scientists...

...report new share connections back via the named pipe \\.\pipe\p577.

No arguments runs it as a Windows service... registers itself as the SvcMgmt service... and creates a remote SvcMgmt service to start execution on the new host.

The framework consists of a service binary that embeds an early Lua 5.0 virtual machine, a boot-start filesystem driver that intercepts and patches executable code as it is read from disk, and a rule-driven hook engine that rewrites very specific instruction sequences inside a single, narrowly defined target application.

For machines that qualify, fast16 impersonates the locally logged-on user's credentials, copies itself to \\<remote>\admin$\system32\svcmgmt.exe

The Lua code provides fast16's main execution behavior through 13 libraries covering host operations, remote service control, registry manipulation... configures the registry to load it as a SCSI-class filter driver on the next boot.

No arguments: Runs as a Windows service. -p : Sets InstallFlag = 1 and runs as a service (Propagate/Install & Run). ... Escalates privileges and installs the carrier executable as the SvcMgmt service, then starts it.

For persistence, fast16 abuses Image File Execution Options by writing its own path into the Debugger value under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<target>, which causes Windows to launch fast16 instead of the chosen application.

For machines that qualify, fast16 impersonates the locally logged-on user's credentials, copies itself to \\<remote>\admin$\system32\svcmgmt.exe, and creates a remote SvcMgmt service to start execution on the new host.

That kernel driver then reads the code of applications as they're loaded into the computer's memory, monitoring for a long list of specific patterns—“rules” that allow it to identify when a target application is running. When it detects the target software, it carries out its apparent goal: silently altering the calculations the software is running to imperceptibly corrupt its results.

For machines that qualify, fast16 impersonates the locally logged-on user's credentials, copies itself to \\<remote>\admin$\system32\svcmgmt.exe

Fast16 propagates within a target network using share enumeration and impersonation... fast16 impersonates the locally logged-on user's credentials

No arguments: Runs as a Windows service. -p : Sets InstallFlag = 1 and runs as a service (Propagate/Install & Run). ... Escalates privileges and installs the carrier executable as the SvcMgmt service, then starts it.

For persistence, fast16 abuses Image File Execution Options by writing its own path into the Debugger value under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<target>, which causes Windows to launch fast16 instead of the chosen application.

The framework consists of a service binary that embeds an early Lua 5.0 virtual machine, a boot-start filesystem driver that intercepts and patches executable code as it is read from disk... Once the driver is installed, it creates a kernel file system filter to monitor all accessed files.

Under the install flags, fast16 copies itself to %windir%\system32\svcmgmt.exe, timestamps the file by cloning creation dates and ACL permissions from services.exe... It then drops the fast16.sys kernel driver into the system drivers folder, matches its timestamps to beep.sys

That kernel driver then reads the code of applications as they're loaded into the computer's memory, monitoring for a long list of specific patterns—“rules” that allow it to identify when a target application is running. When it detects the target software, it carries out its apparent goal: silently altering the calculations the software is running to imperceptibly corrupt its results.

On execution, the malware deletes that registry key, launches the original application, re-adds the key to maintain persistence...

For machines that qualify, fast16 impersonates the locally logged-on user's credentials, copies itself to \\<remote>\admin$\system32\svcmgmt.exe

Fast16 propagates within a target network using share enumeration and impersonation... fast16 impersonates the locally logged-on user's credentials

On execution, the malware deletes that registry key, launches the original application, re-adds the key to maintain persistence, and then re-runs itself with the 'r' command-line argument for normal execution. The user sees a working application while the hijack is silently restored.

The core sabotage logic only activated under narrow conditions. Fast16 first verified that a supported simulator was running and that a scenario matched high‑explosive implosion tests consistent with a spherical uranium core design.

Fast16 is crafted such that it will not infect computers that have certain security products installed.

The framework consists of a service binary that embeds an early Lua 5.0 virtual machine, a boot-start filesystem driver that intercepts and patches executable code as it is read from disk, and a rule-driven hook engine that rewrites very specific instruction sequences inside a single, narrowly defined target application.

The Lua code provides fast16's main execution behavior through 13 libraries covering host operations, remote service control, registry manipulation... configures the registry to load it as a SCSI-class filter driver on the next boot.

For machines that qualify, fast16 impersonates the locally logged-on user's credentials, copies itself to \\<remote>\admin$\system32\svcmgmt.exe, and creates a remote SvcMgmt service to start execution on the new host.

For machines that qualify, fast16 impersonates the locally logged-on user's credentials, copies itself to \\<remote>\admin$\system32\svcmgmt.exe, and creates a remote SvcMgmt service to start execution on the new host.

The driver waits silently until EXPLORER.EXE initializes... The hooks for Mechanism B specifically targeted LS-DYNA runs. The malware scanned volatile memory to see if the user selected specific mathematical models designed for modeling high-explosive behavior.

The driver waits silently until EXPLORER.EXE initializes and then maps out files compiled with the Intel Fortran or C++ compilers.

In parallel, fast16 enumerates all domains, servers, and shares to discover further remote hosts.

Fast16 is crafted such that it will not infect computers that have certain security products installed.

It checks for a list of security applications, and if none are present, installs the Fast16.sys kernel driver on the target machine.

For machines that qualify, fast16 impersonates the locally logged-on user's credentials, copies itself to \\<remote>\admin$\system32\svcmgmt.exe, and creates a remote SvcMgmt service to start execution on the new host.

For machines that qualify, fast16 impersonates the locally logged-on user's credentials, copies itself to \\<remote>\admin$\system32\svcmgmt.exe, and creates a remote SvcMgmt service to start execution on the new host.

The researchers analyzed the sample and found it tries to install a worm and deploy a driver called fast16.sys.

Using what was referred to within the code as “wormlet” functionality, Fast16 is designed to copy itself to other computers on the network via Windows’ network share feature.

Before this workflow runs, a pre-installation kill-switch checks the environment. The ok_to_install() routine calls ok_to_propagate() and propagation is only allowed if it’s manually forced or if it’s made sure common security products aren’t found by checking for associated registry keys. The routine walks a list of vendor keys and aborts installation if any of them are present, preventing deployment into monitored environments.

The hooks fast16 places inside of the simulation program consist of three attack strategies... All the tampering mechanisms effectively reduce the output values such as the Cauchy stress tensor to disrupt the simulation.

Because Fast16 propagated laterally across internal networks and refused to run on hosts with certain security tools, any workstation used to run these simulations could quietly return the same misleading results.