Cyber security

Sunder : A Windows Rootkit Exploiting Vulnerable Drivers For Kernel-Level Attacks

Sunder is a Windows rootkit inspired by the Lazarus Group’s FudModule rootkit, designed to exploit vulnerabilities in kernel drivers to gain unauthorized access to system resources.

This rootkit serves as a framework for post-exploitation activities, leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security mechanisms and manipulate kernel memory.

Sunder utilizes Dell’s vulnerable dbutil_2_3.sys driver, which is known to have a “write-what-where” condition (CVE-2021-21551).

This vulnerability allows attackers to execute arbitrary code in kernel mode, granting them the highest privilege level on Windows systems.

While Microsoft has blocked this driver, Sunder includes commands to disable the Vulnerable Driver Blocklist, enabling its installation on protected systems.

The rootkit enables various post-exploitation payloads, including:

  • Token Stealing and Escalation: Manipulates process tokens for privilege escalation.
  • ACL Editing: Bypasses process integrity or Protected Process Light (PPL) protections to access restricted processes.
  • ETW Threat Intelligence Disabling: Prevents Event Tracing for Windows (ETW) from detecting malicious activities.
  • Callback Clearing: Removes process, thread, and DLL load notification callbacks to evade detection.

To deploy Sunder:

  1. Install the vulnerable dbutil_2_3.sys driver using administrative privileges.
  2. Build the exploit in Visual Studio (x64, Release).
  3. Execute sunder.exe and select a payload from the interactive menu.

The rootkit has been tested on specific Windows builds, including Windows 10 Pro and Windows 11 Enterprise. However, hardcoded offsets for certain Windows structures may cause instability or Blue Screen of Death (BSOD) on untested versions.

Sunder’s public release is a proof-of-concept and lacks features like support for multiple OS versions, encrypted strings, or automated cleanup of artifacts.

Advanced users can update the exploit with newer kernel vulnerabilities or refine its payloads for operational use.

The use of vulnerable drivers like dbutil_2_3.sys highlights the risks associated with BYOVD attacks. Despite vendor patches and Microsoft’s blocklists, attackers continue to exploit such drivers to compromise systems at a kernel level.

Organizations must employ robust endpoint protection tools and monitor for unauthorized driver installations to mitigate these threats effectively.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

14 hours ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

1 day ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

1 day ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 days ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 days ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 days ago