Sunder : A Windows Rootkit Exploiting Vulnerable Drivers For Kernel-Level Attacks

Sunder is a Windows rootkit inspired by the Lazarus Group’s FudModule rootkit, designed to exploit vulnerabilities in kernel drivers to gain unauthorized access to system resources.

This rootkit serves as a framework for post-exploitation activities, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security mechanisms and manipulate kernel memory.

Sunder utilizes Dell’s vulnerable dbutil_2_3.sys driver, which is known to have a “write-what-where” condition (CVE-2021-21551).

This vulnerability allows attackers to execute arbitrary code in kernel mode, granting them the highest privilege level on Windows systems.

While Microsoft has blocked this driver, Sunder includes commands to disable the Vulnerable Driver Blocklist, enabling its installation on protected systems.

The rootkit enables various post-exploitation payloads, including:

• Token Stealing and Escalation: Manipulates process tokens for privilege escalation.
• ACL Editing: Bypasses process integrity or Protected Process Light (PPL) protections to access restricted processes.
• ETW Threat Intelligence Disabling: Prevents Event Tracing for Windows (ETW) from detecting malicious activities.
• Callback Clearing: Removes process, thread, and DLL load notification callbacks to evade detection.

To deploy Sunder:

1. Install the vulnerable dbutil_2_3.sys driver using administrative privileges.
2. Build the exploit in Visual Studio (x64, Release).
3. Execute sunder.exe and select a payload from the interactive menu.

The rootkit has been tested on specific Windows builds, including Windows 10 Pro and Windows 11 Enterprise. However, hardcoded offsets for certain Windows structures may cause instability or Blue Screen of Death (BSOD) on untested versions.

Sunder’s public release is a proof-of-concept and lacks features like support for multiple OS versions, encrypted strings, or automated cleanup of artifacts.

Advanced users can update the exploit with newer kernel vulnerabilities or refine its payloads for operational use.

The use of vulnerable drivers like dbutil_2_3.sys highlights the risks associated with BYOVD attacks. Despite vendor patches and Microsoft’s blocklists, attackers continue to exploit such drivers to compromise systems at a kernel level.

Organizations must employ robust endpoint protection tools and monitor for unauthorized driver installations to mitigate these threats effectively.