Cyber security

Sunder : A Windows Rootkit Exploiting Vulnerable Drivers For Kernel-Level Attacks

Sunder is a Windows rootkit inspired by the Lazarus Group’s FudModule rootkit, designed to exploit vulnerabilities in kernel drivers to gain unauthorized access to system resources.

This rootkit serves as a framework for post-exploitation activities, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security mechanisms and manipulate kernel memory.

Sunder utilizes Dell’s vulnerable dbutil_2_3.sys driver, which is known to have a “write-what-where” condition (CVE-2021-21551).

This vulnerability allows attackers to execute arbitrary code in kernel mode, granting them the highest privilege level on Windows systems.

While Microsoft has blocked this driver, Sunder includes commands to disable the Vulnerable Driver Blocklist, enabling its installation on protected systems.

The rootkit enables various post-exploitation payloads, including:

  • Token Stealing and Escalation: Manipulates process tokens for privilege escalation.
  • ACL Editing: Bypasses process integrity or Protected Process Light (PPL) protections to access restricted processes.
  • ETW Threat Intelligence Disabling: Prevents Event Tracing for Windows (ETW) from detecting malicious activities.
  • Callback Clearing: Removes process, thread, and DLL load notification callbacks to evade detection.

To deploy Sunder:

  1. Install the vulnerable dbutil_2_3.sys driver using administrative privileges.
  2. Build the exploit in Visual Studio (x64, Release).
  3. Execute sunder.exe and select a payload from the interactive menu.

The rootkit has been tested on specific Windows builds, including Windows 10 Pro and Windows 11 Enterprise. However, hardcoded offsets for certain Windows structures may cause instability or Blue Screen of Death (BSOD) on untested versions.

Sunder’s public release is a proof-of-concept and lacks features like support for multiple OS versions, encrypted strings, or automated cleanup of artifacts.

Advanced users can update the exploit with newer kernel vulnerabilities or refine its payloads for operational use.

The use of vulnerable drivers like dbutil_2_3.sys highlights the risks associated with BYOVD attacks. Despite vendor patches and Microsoft’s blocklists, attackers continue to exploit such drivers to compromise systems at a kernel level.

Organizations must employ robust endpoint protection tools and monitor for unauthorized driver installations to mitigate these threats effectively.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

5 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

6 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

6 days ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

6 days ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

6 days ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

1 week ago