Sunder is a Windows rootkit inspired by the Lazarus Group’s FudModule rootkit, designed to exploit vulnerabilities in kernel drivers to gain unauthorized access to system resources.
This rootkit serves as a framework for post-exploitation activities, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security mechanisms and manipulate kernel memory.
Sunder utilizes Dell’s vulnerable dbutil_2_3.sys
driver, which is known to have a “write-what-where” condition (CVE-2021-21551).
This vulnerability allows attackers to execute arbitrary code in kernel mode, granting them the highest privilege level on Windows systems.
While Microsoft has blocked this driver, Sunder includes commands to disable the Vulnerable Driver Blocklist, enabling its installation on protected systems.
The rootkit enables various post-exploitation payloads, including:
To deploy Sunder:
dbutil_2_3.sys
driver using administrative privileges.sunder.exe
and select a payload from the interactive menu.The rootkit has been tested on specific Windows builds, including Windows 10 Pro and Windows 11 Enterprise. However, hardcoded offsets for certain Windows structures may cause instability or Blue Screen of Death (BSOD) on untested versions.
Sunder’s public release is a proof-of-concept and lacks features like support for multiple OS versions, encrypted strings, or automated cleanup of artifacts.
Advanced users can update the exploit with newer kernel vulnerabilities or refine its payloads for operational use.
The use of vulnerable drivers like dbutil_2_3.sys
highlights the risks associated with BYOVD attacks. Despite vendor patches and Microsoft’s blocklists, attackers continue to exploit such drivers to compromise systems at a kernel level.
Organizations must employ robust endpoint protection tools and monitor for unauthorized driver installations to mitigate these threats effectively.
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…