Sunder is a Windows rootkit inspired by the Lazarus Group’s FudModule rootkit, designed to exploit vulnerabilities in kernel drivers to gain unauthorized access to system resources.
This rootkit serves as a framework for post-exploitation activities, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security mechanisms and manipulate kernel memory.
Sunder utilizes Dell’s vulnerable dbutil_2_3.sys
driver, which is known to have a “write-what-where” condition (CVE-2021-21551).
This vulnerability allows attackers to execute arbitrary code in kernel mode, granting them the highest privilege level on Windows systems.
While Microsoft has blocked this driver, Sunder includes commands to disable the Vulnerable Driver Blocklist, enabling its installation on protected systems.
The rootkit enables various post-exploitation payloads, including:
To deploy Sunder:
dbutil_2_3.sys
driver using administrative privileges.sunder.exe
and select a payload from the interactive menu.The rootkit has been tested on specific Windows builds, including Windows 10 Pro and Windows 11 Enterprise. However, hardcoded offsets for certain Windows structures may cause instability or Blue Screen of Death (BSOD) on untested versions.
Sunder’s public release is a proof-of-concept and lacks features like support for multiple OS versions, encrypted strings, or automated cleanup of artifacts.
Advanced users can update the exploit with newer kernel vulnerabilities or refine its payloads for operational use.
The use of vulnerable drivers like dbutil_2_3.sys
highlights the risks associated with BYOVD attacks. Despite vendor patches and Microsoft’s blocklists, attackers continue to exploit such drivers to compromise systems at a kernel level.
Organizations must employ robust endpoint protection tools and monitor for unauthorized driver installations to mitigate these threats effectively.
Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
If you are working with Linux or writing bash scripts, one of the most common…
What is a bash case statement? A bash case statement is a way to control…
Why Do We Check Files in Bash? When writing a Bash script, you often work…